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Nortel’s  1 0G  switch 
deals  Cisco  a  blow 


■  BY  PHIL  HOCHMUTH 

Nortel’s  long-anticipated,  next-generation  10G 
Ethernet  switches  will  be  the  centerpiece  of  a  $6.2 
million  converged  network  the  vendor  is  building 
for  the  city  of  San  Jose  —  a  contract  Nortel  won 
last  week. 

A  botched  $8  million  Cisco  deal  with  the  city 
ended  in  scandal  last  year,  which  was  particularly 
embarrassing  for  Cisco  —  especially  because  it  is 
headquartered  there. 

San  Jose  will  install  four  Nortel  Ethernet  Routing 
Switch  8600s,  based  on  the  vendor’s  latest  10G  archi¬ 
tecture,  slated  to  be  announced  next  month.  Based 
on  its  former  Passport  line,  the  new  technology 
brings  Nortel’s  high-end  switch  up  to  speed  with  10G 


gear  from  rivals  3Com,  Cisco,  Extreme  Networks, 
Force  10  and  Foundry  Networks,  observers  say 
The  deal  with  San  Jose  also  is  a  coup  for  Nortel,  as 
it  won  a  re-bidding  process  for  the  project  after  the 
city  canceled  an  agreement  with  Cisco  when  an  in¬ 
vestigation  turned  up  irregularities  in  how  it  was 
awarded.  In  that  deal,  an  independent  auditor  found 
that  Cisco  and  city  IT  staff  had  inappropriate  contact 
during  the  RFP  process.  As  a  result,  San  Jose  CIO 
Wandzia  Grycz  resigned  in  August. 

The  core  of  the  San  Jose  City  Hall  building’s  LAN 
will  be  built  on  Nortel’s  forthcoming  Ethernet 
Routing  Switch  8600  Version  4.0.  Formerly  the  Pass¬ 
port  8600,  Nortel  is  re-branding  the  product  as  part 
of  the  Ethernet  Routing  Switch  line,  a  family  that  also 

See  Nortel,  page  89 


Forum  airs  wireless  worries 


■  BY  JIM  DUFFY 

NEW  ORLEANS  —  Large  corpo¬ 
rations  face  a  number  of  daunt¬ 
ing  issues  —  from  device  admin¬ 
istration  to  service-level  consis¬ 
tency  —  as  they  look  to  increas¬ 
ingly  mobilize  their  workforces, 
according  to  experts  at  last  week’s 
CTI A  Wireless  2005  conference. 

Companies  are  adopting  wire¬ 
less  technologies  in  greater  num¬ 
bers  as  they  try  to  stay  connected 


to  workers  who  are  in  the  office 
less  and  in  front  of  customers 
more. 

Moreover,  IT  managers  need  to 
monitor,  manage  and  secure 
these  devices  as  if  they  were  hard¬ 
wired  to  a  desktop  within  the 
company  And  they  must  do  so 
while  keeping  the  number  of  mo¬ 
bile  devices  and  the  associated 
expense  to  a  minimum  as  wire¬ 
less  applications,  standards  and 
technologies  continue  to  evolve. 


“Who  carries  one  device  and 
has  it  do  everything  they  desire?” 
Sprint  Executive  Vice  President 
Kathy  Walker  asked  rhetorically 
during  a  conference  session  on 
the  industry  migration  to  3G 
technologies. 

Walker’s  query  reflects  the  hur¬ 
dles  and  questions  facing  the  in¬ 
dustry  as  it  attempts  to  take  enter¬ 
prise  mobility  beyond  just  wire¬ 
less  voice  and  e-mail,  two  appli¬ 
cations  that  typically  require  at 
least  two  devices.  One  mobile 
device  per  user  is  hard  enough  to 
manage,  let  alone  two.  Add  to  that 
the  tendency  of  mobile  workers 
to  purchase  their  own  handsets 
and  wireless  services  for  business 
and  personal  use,  and  the  man¬ 
agement  task  for  IT  can  take  on 
increasing  complexity 
“The  biggest  issue  is  policy  and 
See  CTIA,  page  88 
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Who  will  feed  the  pet  snake? 


Of  love  and  pagers: 
The  life  of  married 
network  pros 


■  BY  CARA  GARRETSON 


For  Doug  and  Ellen  Chick’s  13- 
year-old  daughter,  spending 
an  evening  in  a  server  room 
doing  homework  on  the  floor  is 
not  unusual.  As  the  child  of  a  pair 
of  network  managers,  she’s  had  to 
come  along  for  the  ride  more  tf 
once  when  an  emergency  calls 
one  of  her  parents  back  to  work 
after  hours. 

“My  daughter  has  written  her 
name  on  the  underside  of  some  of 
the  most  expensive  equipment  in  the 

See  Love,  page  12 
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Redline  Networks  helps  medical 
records  management firm 
ChartOne  cure  network  pains 
and  boost  the  business  case  for 
its  Web-enabled  ERP  apps. 


NO  IT  EXECUTIVE  LOOKS  FORWARD  TO  ASKING  upper  management 
to  spend  $200,000  on  a  major  system  upgrade.  But  Henry  Svendblad, 
director  of  IT  at  ChartOne,  Inc.,  felt  he  had  little  choice. 


ChartOne,  based  in  San  Jose,  California,  sells 
technology  and  services  that  help  health  care 
institutions  easily  and  cost-effectively  access  and 
manage  patient  records.  To  better  serve  its 
customers,  which  represent  20%  of  hospitals  in  the 
U.S.,  and  to  ease  the  burden  on  its  own  IT  staff,  the 
company  wanted  to  miqrate  its  ERP  applications  to 
the  Web. 

Like  many  companies  transitioning  to  Web- 
based  applications,  ChartOne  hit  performance 
snags  that  no  amount  of  application  tuning  and 
new  hardware  could  cure.  Only  after  two  years  of 
trial  and  error  did  ChartOne  find  a  cure  in  Redline 
Networks,  which  makes  a  family  of  appliances  that 
deliver  a  broad  set  of  capabilities  to  ease  the 
network  burdens  and  boost  the  business  case  for 
Web-enabled  applications.  With  Redline's  E|X  3250 
enterprise  application  processor  handling  I/O 
processing,  connection  management,  compression, 
load  balancing  and  SSL  processing,  ChartOne 
customers  and  internal  users  are  now  experiencing 
the  performance  they  require  —  and  the  company's 
IT  group  is  realizing  the  administrative  benefits  that 
Web-enabled  applications  can  bring. 
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ON  THE  WEB  TRAIL 

ChartOne's  odyssey  began  in  July  of  2001 ,  when 
the  company  began  migrating  its  homegrown 
client/server  enterprise  applications  to  Peoplesoft  8, 
a  Web-based  ERP  suite.  "We  were  expecting  growth 
of  20%  to  30%  a  year,  and  we  felt  we  needed  a  big 
ERP  system,"  Svendblad  says.  In  addition,  thin, 
standardized  browsers  would  require  far  less  IT 
support  than  fat,  homegrown  clients. 

If  ChartOne  was  going  to  offer  Web-based 
patient  records  management  services,  Svendblad 
also  felt  the  company  "should  eat  our  own  dog  food" 
and  use  a  Web-based  application  platform  internally. 

Webification  proved  to  have  its  challenges, 
however.  As  more  application  modules  and  users 
moved  onto  the  new  infrastructure,  response  times 
slowed  to  a  crawl.  Employees  at  the  company's  10 
remote  offices  sometimes  spent  hours  waiting  for 
tickler  screens  that  had  taken  minutes  to  display 
under  the  old  client/server  system.  The  10-  to  15- 
person  offices  had  plenty  of  bandwidth,  IT  staffers 
knew:  In  anticipation  of  the  migration  to  Peoplesoft 
8,  they'd  deployed  T1  links  to  each  site. 

Users  on  the  corporate  LAN  were  also  having 


difficulties.  By  far,  the  worst  off  was  the  accounts 
receivable  department,  which  processes  more  than 
300,000  transactions  per  month.  Productivity  had 
dropped  by  20%  because  of  response  time  degra¬ 
dation.  "During  peak  usage  periods,  it  was  taking 
people  minutes  to  go  from  screen  to  screen," 
Svendblad  says. 


ChartOne's  Challenges 


Web-enabled  enterprise  applications  were 
overloading  servers. 

Server  processors  were  at  80%  to  90% 
utilization  levels  during  peak  traffic  periods. 
Slow  response  time  over  corporate  LAN  was 
hurting  user  productivity. 

Remote  users  waited  hours  for  screen 
downloads. 


The  Redline  Networks  Cure 


Average  server  CPU  utilization  during  peak 
usage  now  between  10%  and  15%. 

Response  time  returned  to  desirable  levels 
for  local  and  remote  users. 

Remote  sites  no  longer  need  terminal  servers. 
Bandwidth  consumption  decreased  approx¬ 
imately  70%. 

Savings  of  $200,000  by  avoiding  major 
hardware  upgrades. 


Photograph  by  Robert  Houser 
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Reduced  number  of  costly 
security  certificates 
Saved  $200,000  in  server  upgrades 


setup  also  strained  budgets  and  IT  resources. 

Meanwhile,  Web  and  application  servers  were  still 
maxing  out  during  peak  usage  periods.  A  major 
upgrade  seemed  inevitable.  "It  looked  like  we  needed 
a  new  [BEA  Systems]  WebLogic  server,  a  new 
database  server  and  a  third  server  for  finance," 
Svendblad  says.  His  team  priced  out  three  SunFire 
servers  on  the  second-hand  market  at  about  $50,000 
apiece.  He  also  budgeted  $50,000  for  a  LAN 
upgrade,  bringing  the  total  budget  hit  to  $200,000, 
which  Svendblad  calls  a  conservative  estimate. 


IN  SEARCH  OF  A  CURE 

As  user  complaints  mounted,  the  IT  staff  began 
looking  for  remedies.  PeopleSoft  and  Oracle  — 
ChartOne's  application  vendors  —  initially  suggested 
fine-tuning  their  applications.  "With  a  thin  Web 
client,  ERP  systems  involve  complex  querying  in  the 
background,"  Svendblad  explains. 

When  tweaking  back-end  software  produced 
little  improvement,  ChartOne  tried  upgrading  its 
server  hardware.  It  deployed  another  Sun  420R 
application  server  and  storage  box,  then  migrated 
the  main  financial  server  from  a  420R  to  a  more 
powerful  SunFire  server.  "Performance  improved 
slightly,  but  we  were  still  looking  at  CPU  usage  in 
the  high  80%  to  90%  range  during  peak  processing 
time,"  Svendblad  says.  "And  our  phones  were  still 
ringing  off  the  hook." 

Pressed  for  answers,  ChartOne  even  took  the 
radical  step  of  supplying  remote  offices  and  home 
workers  with  terminal  servers.  While  that  substan¬ 
tially  improved  response  time,  maintaining  the 
devices  offsite  was  a  major  burden  on  the  IT 
support  staff.  "It  was  like  we'd  gone  back  to  a 
client/server  setup,"  Svendblad  says,  noting  the 


ONE  VERY  BRIEF  PILOT 

Just  as  he  was  about  to  swallow  that  bitter  pill, 
a  former  colleague  told  Svendblad  about  Redline 
Networks  in  Campbell,  Calif.,  and  its  family  of 
appliances  that  help  enterprises  manage  the 
network  impact  of  Web-enabled  applications  and 
improve  their  business  case. 

In  the  summer  of  2003,  ChartOne  deployed 
Redline's  E|X  3250  enterprise  application  processor 
in  front  of  its  WebLogic  servers.  The  Redline  device 
took  over  complex  scheduling  of  TCP  requests 
and  connection  management  chores  for  as  many 
as  150  users,  saving  the  Web  servers'  CPU  and 
memory  resources  for  other  activities  like  page 
generation.  The  E|X  also  performed  data  compres¬ 
sion  to  speed  up  server  response  and  conserve 
bandwidth. 

Svendblad's  group  started  out  with  a  pilot  test 
within  the  accounts  receivable  group,  which  took 
the  biggest  performance  hit  after  moving  to 
Peoplesoft  8.  Setting  up  users  was  simple  and 
transparent,  Svendblad  reports:  "I  just  changed  the 
local  DNS  setting,  and  when  users  clicked  on  the 
PeopleSoft  icon,  they  were  routed  through  the 
Redline  box.  We  didn't  have  to  change  anything  on 


our  existing  architecture,  or  on  the  WebLogic  or 
PeopleSoft  servers." 

User  response  was  fast  and  dramatic.  "People 
were  asking  us  if  we'd  put  some  magic  juice  in  their 
system,"  Svendblad  reports.  When  word  spread, 
end  users  not  involved  in  the  pilot  "were  pounding 
on  our  door  saying,  'Whatever  you  did  for  her,  do 
for  me!"'  It  may  have  been  the  shortest  pilot  on 
record:  A  day  after  the  test  started,  the  company 
routed  all  the  other  users  through  the  Redline  box. 

TALLYING  THE  BENEFITS 

Once  the  bulk  of  users  was  online,  the  benefits 
of  the  Redline  device  really  began  to  kick  in, 
Svendblad  reports.  Average  CPU  consumption 
during  peak  processing  time  plummeted  from  80% 
or  more  to  less  than  15%.  Bandwidth  consumption 
decreased  approximately  70%. 

The  E|X  3250  now  handles  SSL  encryption, 
as  well.  "We  have  security  without  burdening 
our  servers  with  managing  certificates  or  with  SSL," 
Svendblad  says.  The  company  also  saves  money  on 
SSL  certificates,  since  it  needs  only  one  for  the 
Redline  box  instead  of  one  for  each  server. 

Over  the  past  year,  ChartOne  brought  its 
customer  relationship  management,  HR  and 
Hyperion  Business  Performance  Management 
applications  behind  the  Redline  box.  Most  recently, 
the  company  added  its  View  Manager:  Chart 
Management  Suite  of  ASP  offerings  to  the  set  of 
applications  front-ended  by  the  E|X  platform. 


After  ChartOne  installed  the  Redline 
Networks  E|X  3250,  user  response 
was  dramatically  faster.  "People  were 
asking  us  if  we'd  put  some  magic 
juice  in  their  system,"  says  Henry 
Svendblad,  director  of  IT. 


ChartOne's  hundred-odd  remote  and  mobile 
users  have  completely  eliminated  their  terminal 
servers  and  use  a  standard  Web  browser  to  access 
all  applications,  via  the  E|X  3250.  "The  user  experi¬ 
ence  is  improved,  and  our  support  costs  are  lower," 
Svendblad  says. 

The  bottom  line:  ChartOne  successfully  imple¬ 
mented  a  Web-enabled  ERP  platform  with  a  "single 
box  solution"  that  addresses  critical  Web  tier  issues 
while  dramatically  improving  the  business  case  by 
increasing  user  productivity  and  avoiding  costly 
hardware  upgrades.  End  users  now  experience  the 
same  response  time  levels  and  productivity  they 
had  with  customized  fat  clients  —  but  IT  no  longer 
has  the  support  burden.  Says  Svendblad:  "I  think 
that's  pretty  impressive." 


LEARN  MORE  ABOUT  REDLINE  NETWORKS  ONLINE 


Read  what  leading  analysts  and  other  customers  say 
about  Redline  Networks  at  our  new  InfoCenter,or  call  us  at: 


1.877.550.6420 

Visit:  www.redlinenetworks.com/infocenter 
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This  week  at  Network  Lifer.  The  Expert's 
Guide  to  the  Connected  Home 

Every  day,  Network  Life  offers  everything  you  need  to  know  to 
keep  your  —  and  your  family's  and  friends'  —  home  network 
humming.  Get  the  latest  news,  opinions,  reviews,  how-tos  and 
more.  DocFinder:  4838 

Wireless  LAN  Buyer's  Guide 

Get  the  latest  information  on  WLAN  gear,  including  client  devices 
and  802.11a/b/g  access  points,  in  our  just-updated  Buyer's  Guide. 
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Building  a  media  center,  Part  4 

With  the  kinks  worked  out,  columnist  Keith  Shaw  says  his  home-built 
media  center  shines. 
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Small-Business  Tech 

Getting  out  from  under  Outlook,  Part  1 

Columnist  James  Gaskin  shows  you  how  assessing  your  options  and 
determining  your  needs  can  show  you  whether  you're  a  candidate  t 
move  off  Outlook  and  Outlook  Express.  DocFinder  6351 
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WANs:  Optimizing  your  network  now 

A  new  Technology  Tour  Event  and  Expo  packed  with  immediate- 
impact  ideas,  information  and  strategies  to  help  you  optimize  the 
business  applications  necessary  to  your  company’s  success.  Find 
out  how  you  can  qualify  to  attend  free.  DocFinder  6352 
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Qwest  ups  bid  for  MCI 

■  Qwest  has  increased  its  offer  to  acquire  MCI,  in  an  attempt  to 
derail  last  month’s  merger  agreement  between  MCI  and  Verizon. 
Qwest  now  is  offering  to  pay  about  $26  in  cash  and  stock  for 
each  share  of  MCI,  up  from  its  previous  offer  of  $24.60  per  share. 
MCI’s  board  will  review  the  new  proposal  and  respond  by  the 
close  of  business  on  March  28,  it  said  in  a  statement.  Verizon 
announced  Feb.  14  that  it  had  hammered  out  an  agreement  to 
buy  MCI  in  a  deal  valued  at  $6.7  billion.  Soon  after  that  deal  was 
announced,  Qwest  said  that  it  would  revise  its  previous  offer. 
Now  MCI  has  received  a  revised  offer  from  Qwest  of  $10.50  in 
cash  and  $15.50  in  Qwest  shares  for  each  share  of  MCI. The  Jan. 
31  announcement  that  SBC  plans  to  acquire  AT&T  in  a  deal 
worth  $16  billion  triggered  the  latest  round  of  merger  activity 
among  telecom  companies. 

SEC  levels  fraud  complaint  against  former  Qwest  GEO 

■  After  a  series  of  legal  actions  against  former  executives  of  Qwest  for  alleged  financial 
fraud,  the  Securities  and  Exchange  Commission  finally  worked  its  way  to  the  top  of  the 
executive  ladder.  It  charged  former  Qwest  CEO  and  Co-Chairman  Joseph  Nacchio  last 
week  with  fraud  and  other  securities-law  violations.  The  SEC  charges  against  Nacchio 
came  within  hours  of  a  jury  convicting  another  high-profile  ex-CEO  defendant, 
WorldCom’s  Bernard  Ebbers,  on  all  charges  leveled  against  him  in  connection  with 
WorldCom’s  $11  billion  accounting  fraud.The  SEC’s  charges  are  civil,  not  criminal,  but 
the  agency  generally  conducts  its  investigations  in  tandem  with  the  Department  of 
Justice,  which  has  the  authority  to  bring  criminal  charges.  From  1999  to  2002,  Qwest 
engaged  in  a  complex  scheme  to  improperly  record  more  than  $3  billion  in  revenue 
and  exclude  $17.3  million  in  expenses, according  to  the  SEC.Nacchio’s  attorney, Charles 
Stillman, said  Nacchio  cooperated  with  the  SEC’s  investigation  and  that  he  maintains  his 
innocence. 


TheGoodTheBadTheUgly 

<g>  Metcalfe  medals.  Ethernet  might  be  old,  but  it's  not  forgotten.  Inventing 
the  ubiquitous  network  technology  in  the  1970s  scored  Robert  Metcalfe  a  National 
Medal  of  Technology,  awarded  by  President  Bush  last  Monday.  (See  related  story, 
page  90.) 

McOutsourcing.  We  sympathize  with  IT  folks  losing  their  jobs  as  companies 
seeking  to  operate  more  efficiently  outsource  call  center  and  other  jobs  to  people 
overseas.  But  news  out  of  McDonald’s  last  week  suggests  that  the  trend  really 
might  be  going  too  far.  The 
restaurant  chain's  CEO,  Jim 
Skinner,  told  investors:  "If  you’re 
[at  a  drive-through]  in  L.A. . 


.  .  and  you  hear  a  person 
with  a  North  Dakota  accent 
taking  your  order,  you'll  know 
what  we're  up  to."  > 

Don't  mess  with 

911  .  A  Louisiana  man  sent 
a  malicious  program  using  e- 
mail  that  caused  Microsoft  WebTV 
customers  to  call  the  911  emergency 
service  without  their  knowledge,  and  now  he  is  paying  the  price.  The  man  is  going 
to  jail  for  six  months  after  pleading  guilty  to  intentionally  causing  damage  to 
computers  and  causing  a  threat  to  public  safety,  according  to  a  statement  released 
by  the  U.S.  Attorney's  Office  for  the  Northern  District  of  California. 


information  from  recipients,  the  2005  version  of  the  bill  also  covers  pharming.That  prac¬ 
tice  redirects  a  PC  user’s  browser  to  a  fraudulent  Web  site  asking  for  sensitive  informa¬ 
tion.  While  last  year’s  bill  was  introduced  mainly  to  raise  awareness  of  these  scams,  a 
spokesman  for  Leahy  said  the  senator  hopes  the  2005  version  will  pass  “sooner  rather 
than  later.” 


Bush  names  Martin  new  FGG  chairman 

■  President  Bush  last  week  named  FCC  Commissioner  Kevin  Martin  to  replace  outgo¬ 
ing  Chairman  Michael  Powell  as  head  of  the  regulatory  body  Martin,  a  member  of  the 
FCC  since  2001,  also  served  as  a  special  assistant  to  Bush  and  was  a  lawyer  with  the 
Bush  2000  campaign.  Martin’s  appointment  was  largely  lauded  by  the  telecom  industry. 
Announcements  regarding  a  commissioner  replacement  for  Martin  have  not  been 
made.  While  Bush’s  appointment  of  Martin  to  the  head  of  the  FCC  doesn’t  need 
approval,  the  White  House’s  candidate  for  commissioner  will  require  a  nod  from  the 
Senate  before  being  installed. 


Senator  files  anti-phishing  bill 

■  Sen.  Patrick  Leahy  (D-Vt.)  recently  introduced  a  bill  to  the  Senate  that  attaches  fines 
and  prison  sentences  to  scammers  caught  phishing.  The  Anti-Phishing  Act  of  2005, 
which  is  similar  to  the  bill  Leahy  introduced  in  2004  that  never  came  up  for  a  vote, slaps 
phishers  with  up  to  five  years  in  prison  and  fines  as  high  as  $250,000.  In  addition  to  out¬ 
lawing  phishing, where  scammers  send  e-mails  designed  to  extract  personal  or  financial 

COMPENDIUM 

Reverse  engineering 

Google  came  under  some  fire  for  proposing  an  add-on  to  its  browser  toolbar  that 
would  do  things  such  as  auto-link  addresses  on  Web  pages  to  maps.  Mark  Pilgrim 
has  done  the  reverse,  coming  up  with  a  Firefox  plug-in  that  removes  ads  from  most 
Google  pages  and  links  news  queries  to  non-Google  news  sites.  Read  more  at 
www.nwfusion.com,  DocFinder:  6343. 


Group  urges  increase  in  federal  R&D 

■  The  U.S.  is  in  danger  of  losing  its  technological  edge  unless  its  government  increases 
funding  for  R&D  and  reforms  the  nation’s  education  system,  members  of  the 
Semiconductor  Industry  Association  said  last  week.  SIA  members,  including  Intel  CEO 
Craig  Barrett,  called  for  a  yearly  7%  increase  in  the  National  Science  Foundation’s 
research  budget,  and  increases  in  federal  funding  of  microelectronics  and  nanomanu¬ 
facturing  programs.  They  also  called  for  a  math  and  science  program  in  the  No  Child 
Left  Behind  Act.  Without  a  renewed  national  focus  on  R&D  and  education,  the  semi¬ 
conductor  industry  could  run  into  technology  and  economic  roadblocks  by  2020,  SIA 
members  said  at  a  press  conference.  Barrett  called  R&D  spending  and  educated  work¬ 
ers  the  foundations  for  innovation  and  creativity  in  the  U.S.  But  federal  government 
spending  on  R&D  —  which  funds  university-based  research  in  the  U.S. —  has  been  flat 
for  about  25  years,  SiA  members  said. The  U.S.  ranks  near  the  bottom  of  industrialized 
nations  in  science  and  math  education,  based  on  test  scores,  and  the  number  of  U.S.  res¬ 
idents  applying  for  doctorate-level  degrees  is  shrinking,  Barrett  said. 

“From  a  people  standpoint,  we’re  not  doing  a  particularly  good  job,”  Barrett  said.  “I 
don’t  have  particular  concerns  in  the  near  term  about  our  industry,  but  I  have  great  con¬ 
cerns  about  our  industry  10  to  15  to  20  years  out.” 
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SAS,  the  leader  in  business  intelligence  software,  asks... 


SERVICE  LEVEL  MANAGEMENT 


RESOURCE  MANAGEMENT 


CHARGE  MANAGEMENT 


VALUE  MANAGEMENT 


No  business  wants  to  believe  it’s  wasting  precious  IT  dollars.  So  if  executives  and  co-workers  grumble  about  IT  service, 
and  you’re  convinced  those  services  could  be  put  to  better  use,  let  SAS  help.  With  SAS®  IT  Management  solutions, 
you  can  measure,  manage,  understand  and  communicate  the  quality  of  every  IT  service  more  accurately.  You’ll 
know  precisely  how  your  business  is  using  IT  resources.  Ensure  maximum  performance  and  response  times.  Predict 
strategic  and  financial  trends.  And  clearly  visualize  the  value  of  IT  from  business,  revenue  and  profit  perspectives. 
Visit  our  Web  site  to  learn  more  and  read  our  free  white  paper,  Align  IT  with  Business  and  Budget  Strategies. 
Or  call  us  toll  free  1  866  731  1364. 

www.sas.com/spent 


Author  Nicholas  Carr  and  top  business  influencers  join  in  a  lively  discussion  about  his  controversial  book,  Does  IT  Matter? 
Check  out  our  Web  site  for  more  on  this  informative,  on-demand  Web  seminar. 


The  Power  to  Know* 


SAS  and  ail  other  SAS  Institute  Inc.  product  or  service  names  are  registered  trademarks  or  trademarks  of  SAS  Institute  Inc.  in  the  USA  and  other  countries.  ®  indicates  USA  registration.  Other  brand  and  product  names  are  trademarks  of  their  respective  companies.  ©  2005  SAS  Institute  Inc.  All  rights  reserved.  32230?  o' 


NetworkWorid 


3/21/05 1  News 


www.nwfusion.com 


Compliance  pressures  still  mounting 

Regulatory  requirements,  mainly  Sarbanes-Oxley,  continue  to  squeeze  IT  budgets  and  staff. 


■  BY  DENISE  DUBIE  AND 
ANN  BEDNARZ 

The  tab  for  regulatory  compli¬ 
ance  continues  to  climb  —  and 
along  with  it,  demand  for  IT  pro¬ 
jects  to  bolster  security  storage 
and  reporting  capabilities. 

U.S.  companies  will  spend 
$15.5  billion  on  compliance-relat¬ 
ed  activities  this  year,  according 
to  research  published  last  week 
by  AMR  Research.  A  large  chunk 
of  the  spending  is  designated  for 
public  companies’  projects  relat¬ 
ed  to  the  Sarbanes-Oxley  (SOX) 
Act  of  2002.  SOX  spending  will 
grow  11%  from  $5.5  billion  last 
year  to  $6.1  billion  this  year,  AMR 
says. Other  budget-consuming  ini¬ 
tiatives  include  compliance  with 
the  Health  Insurance  Portability 
and  Accountability  Act  (HIPAA), 
Food  and  Drug  Administration 
regulations,  and  the  Basel  II  inter¬ 
national  banking  accord. 

In  particular,  SOX  has  put  a  spot¬ 
light  on  compliance  initiatives 
since  it  affects  a  broader  swath  of 
companies  than  some  of  the 
industry-  or  geographic-specific 
regulations,  says  John  Hagerty, 
vice  president  of  research  at  AMR 
Research.  Additionally  it’s  getting 
budget  priority  over  other  regula¬ 
tory  projects  because  its  dead¬ 
lines  are  imminent.  “Those  with 
the  shortest  deadlines  move  to 
the  top  of  the  queue,”  he  says. 

Passed  in  the  wake  of  account¬ 
ing  scandals  at  companies  such 
as  Enron  and  WorldCom,  SOX  is 
designed  to  deter  fraud  and  add 
transparency  to  public  compa¬ 
nies’  financial  reporting  proce¬ 
dures.  Among  the  more  onerous 
of  the  legislation’s  requirements  is 
Section  404,  which  calls  for  com¬ 
panies  and  their  auditors  to  for¬ 
mally  attest  to  the  existence  and 
adequateness  of  internal  controls 
over  financial  reporting  systems. 

Establishing,  testing  and  docu¬ 
menting  such  controls  is  a  time 
consuming  effort  that  not  only 
has  financial  departments  scram¬ 
bling  but  involves  nearly  every 
aspect  of  IT. 

The  toughest  part  of  SOX  com¬ 
pliance  is  the  scrutiny  it  places  on 
the  IT  department,  says  James 
Olson,  CIO  at  Waterbury  Hospital 
in  Connecticut.  SOX  has  in¬ 
creased  the  number  and  compre 
hensiveness  of  IT-related  audits, 
he  says.  “It  used  to  be  that  a  100- 
watt  bulb  would  be  turned 
toward  IS  once  a  year.  Now  we 


have  a  searchlight  looking  at  us.” 

Prior  to  the  legislation,  auditors 
examined  the  hospital’s  patient 
accounting  system.  Today,  audits 
extend  to  multiple  applications, 
including  accounting,  payroll, 
materials  management  and  deci¬ 
sion  support  systems. 

Auditors  today  look  not  only  at 
backup,  data  center  security  and 
password  administration  but  also 
division  of  labor  within  the 
department,  Olson  says.  “They 
have  increased  what  they  are 
auditing  and  [now  look  into]  the 
formality  of  the  policies,  proce¬ 
dures  and  processes  supporting 
the  department,”  he  says. 

What  makes  SOX  tough  is  that 
there’s  no  one-size-fits-all  check¬ 
list  for  compliance,  adds  James 


Kritcher,  vice  president  of  IT  at 
White  Electronic  Designs.  “From 
an  IT  perspective,  the  actions  that 
a  company  will  need  to  take 
depend  on  what  is  discovered  in 
the  internal  controls  inspection. 
IT  leaders  need  to  work  closely 
with  the  Sarbanes-Oxley  auditors 
to  make  sure  that  they  know  what 
their  companies’ weaknesses  are.” 

When  it  comes  to  choosing 
technology  to  help  with  Section 
404  compliance,  purchases  run 
the  gamut  from  security  and  doc¬ 
ument  management  to  collabora¬ 
tion  and  performance  manage¬ 
ment  products.  There’s  no  short¬ 
age  of  vendors  offering  SOX  com¬ 
pliance  assistance. 

For  example,  OpenService  this 
week  is  expected  to  release  new 
versions  of  its  flagship  Security 
Threat  Manager  software,  as  well 
as  Security  Log  Manager,  an  add¬ 


on  monitoring  application  that 
alerts  security  managers  to  events 
that  don’t  comply  with  pre¬ 
defined  SOX  policies. 

Last  week,  SAP  announced  a 
deal  with  compliance  specialist 
Virsa  Systems  to  offer  its  Com¬ 
pliance  Calibrator  software  to 
SAP  users  to  help  keep  tabs  on 
ERP  system  controls  and  avoid 
segregation-of-duties  conflicts 
among  end  users. 

Getting  help 

To  automate  manual  processes, 
Waterbury  Hospital  has  pur¬ 
chased  configuration  control  soft¬ 
ware  for  patching  its  servers,  pass¬ 
word  control  software  and  other 
technology  Olson  says. 

White  Electronic  Designs  uses 


automated  configuration  man¬ 
agement  tools  from  Ecora  and 
Tripwire  to  automate  some 
of  its  SOX  requirements,  Kritcher 
says.  The  Phoenix  company 
uses  the  tools  to  document  base¬ 
line  device  configurations  and 
detect  unauthorized  infrastruc¬ 
ture  changes,  he  says.  “Without 
these  types  of  tools,  compliance 
would  be  much  more  difficult.” 

Even  with  the  tools,  the  burden 
of  SOX  is  palpable.'A  great  deal  of 
IT  time  over  the  past  year  has 
been  spent  on  Sarbanes-Oxley 
compliance  activities,”  Kritcher 
says.“We  had  to  defer  a  couple  of 
planned,  funded  projects  to  divert 
staff  resources  to  the  compliance 
effort.  The  current  year  is  looking 
much  the  same.” 

One  of  the  aspects  of  SOX  that 
has  surprised  companies  is  that 
it’s  an  ongoing  effort,  Hagerty 


says.  “People  thought  it  would  be 
a  Y2K-like  effort,  but  it’s  not. 
Companies  have  to  deal  with  SOX 
requirements  perpetually’ 

The  ongoing  nature  of  SOX  com¬ 
pliance  is  disruptive  and  costly 
Olson  says.  “The  auditors  will 
always  find  yet  one  more  aspect 
that  needs  doing,”  he  says. 

But  there  also  are  advantages 
for  IT  to  SOX  regulations,  which 
can  provide  an  impetus  for  com¬ 
panies  to  formalize  their  docu¬ 
mentation  and  process  controls. 
Many  of  the  practices  SOX  has 
necessitated  are  good  manage¬ 
ment  practices,  Olson  says.  “It  is 
just  we  always  gave  them  lower 
priority  than  our  day-to-day  stuff 
so  implementation  dragged,”  he 
says.“Now  we  have  no  alternative.” 

Mike  Levinson,  IT  capacity  plan¬ 
ning  and  change  manager  at 
Hannaford  Bros.,  a  supermarket 
retailer  in  Portland,  Maine,  agrees. 
Levinson  says  SOX  compliance 
helped  him  get  management  to 
approve  the  process-oriented 
approach  he  prefers  to  take.  A  for¬ 
mer  IBM  systems  administrator, 
Levinson  always  wanted  to  instill 
change  management  processes 
at  the  supermarket  chain  before 
SOX  auditors  hit  the  scene. 

“Sarbanes-Oxley  helped  us  get 
processes  in  place  that  probably 
should  have  been  in  place,”  he 
says. 

Levinson  says  an  audit  of 
Hannaford’s  IT  shop  showed  the 
company  could  improve  its 
change  management  processes 
and  its  security  controls  such  as 
defining  separation  of  duties  and 
establishing  consistent  policies 
across  system  platforms. 

Levinson  notes  security  policies 
on  Windows,  Unix,  Linux  and 
mainframe  servers  —  all  of  which 
Hannaford  has  —  differ  and  SOX 
will  require  the  IT  department  to 
define  consistent  rules  across  the 
platforms.  Also,  SOX  security  poli¬ 
cies,  such  as  incident  response, 
need  to  be  clearly  stated  to  avoid 
any  ad  hoc  firefighting  when,  say, 
a  virus  breaks  out. 

Levinson  estimates  that  his  IT 
team  spends  about  60%  of  its 
time  fixing  problems,  which  take 
priority  over  long-term  IT  pro¬ 
jects.  Now  with  SOX  compliance 
on  their  list  of  things  to  do  as  well, 
he  says  he  can’t  “accurately  pre¬ 
dict  how  many  resources  we  will 
have  for  IT  projects,”  which  means 
they  could  potentially  miss 
scheduled  deadlines. 


Because  Hannaford  is  owned 
by  the  Belgium-based  Delhaize 
Group,  the  company  has  another 
year  to  get  compliant  with  Section 
404. The  Securities  and  Exchange 
Commission  this  month  granted 
small  and  midsize  public  compa¬ 
nies  with  a  market  capitalization 
less  than  $75  million,  as  well  as 
international  companies,  a  one- 
year  reprieve  until  July  15,2006. 

Large  public  companies  with  a 
market  capitalization  of  at  least 
$75  million  —  with  some  excep¬ 
tions  —  must  begin  including 
internal  control  reports  required 
by  Section  404  in  annual  reports 
filed  for  their  first  fiscal  year  end¬ 
ing  on  or  after  Nov  15,2004. 

Looking  ahead,  AMR’s  Hagerty 
says  companies  will  become 
more  strategic  about  addressing 
SOX.  Efforts  this  year  will  shift 
away  from  manual  processes  and 
toward  automating  compliance, 
he  says.“Fixes  are  heavily  manual 
today,  but  that  can’t  go  on  indefi¬ 
nitely  or  it  would  pose  a  real  hin¬ 
drance  to  business.” 

Kritcher  says  he  sees  an  oppor¬ 
tunity  to  shed  some  compliance 
costs  and  free  up  IT  resources  “by 
implementing  systems  and  pro¬ 
cesses  that  simplify  the  compli¬ 
ance  monitoring  and  audit  pro¬ 
cess."  As  companies  put  compli¬ 
ance  controls  in  place  it  makes 
sense  to  look  for  process  reengi¬ 
neering  opportunities,  he  says. 

Shifting  SOX  budgets  from 
headcount-related  costs  to  tech¬ 
nology  purchases  reflect  shifting 
mind-sets,  Hagerty  says. 

Whereas  companies  spent 
about  $1.1  billion  in  2004  on  SOX- 
related  technology  this  year  they 
will  spend  $1.7  billion,  he  says. 
“People  are  spending  more  in  ‘05 
than  ‘04  because  they  realize  they 
have  to  automate  a  lot  of  the  stuff 
they  did  by  brute  force  last  year1 

Next  up  is  finding  ways  to  use 
technology  to  remediate  any 
compliance  shortcomings.  By  the 
end  of  2005,  companies  will  be¬ 
gin  to  deploy  technology  not  only 
to  automate  processes  and  iden¬ 
tify  gaps,  but  also  to  help  auto¬ 
matically  close  up  any  gaps  that 
appear,  Hagerty  says.  ■ 


■  Read  how  offsite  secu¬ 
rity  causes  problems 
with  Sarbanes-Oxley  com¬ 
pliance.  PAGE  27. 


SOX  technology  priorities 

Security  products  top  the  list  of  technologies  that  companies 
plan  to  purchase  to  aid  in  Sarbanes-Oxley  compliance, 
according  to  a  survey  by  AMR  Research  of  95  people. 
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management  /  Reporting  and  risk 

management 

-  7% 
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-  9% 
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management 
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management 

—  17% 
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Spam  and  virus  protection  at  an  affordable  price. 

/ 

•  No  per  user  license  fees  / 

•  Prices  starting  at  $1399 

•  Powerful,  enterprise-class  solution 


Barracuda  Spam  Firewall 


©Copyright  2004,  Barracuda  Networks.  Inc  All  rights  reserved  Reclaim  Your  Email, and  Barracuda  Spam  Firewall  are  either 
trademarks  or  registered  trademarks  of  Barracuda  Networks,  Inc  and/or  it  subsidiares  in  the  United  States  and/or  other  countries. 


Order  a  free  evaluation  unit  at 
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POWERFUL  EASY  TO  USE  AFFORDABLE  Get  more  info  by  visiting  www.barracudanetworks.com/ifor 

or  by  calling  1-888-ANTI-SPAM  or  408-342-5400 


10 

NetworkWorld 

3/21/05 

lews 

www.nwfusion.com 

Buyout  ends  Akamai,  Speedera  feud 


■  BY  JENNIFER  MEARS 

The  news  last  week  that 
Akamai  Technologies  had  ac¬ 
quired  Speedera  Networks  con¬ 
firmed  two  things:  The  deal  will 
end  the  companies’  bitter  rivalry 
and  the  content  delivery  market 
has  matured  out  of  its  turbulent 
adolescence. 

The  acquisition,  still  subject  to 
regulatory  approval,  is  aimed  at 
creating  a  global  content  deliv¬ 
ery  network  (CDN)  powerhouse 
that  can  better  compete  with 
emerging  content  and  applica¬ 
tion  delivery  services  from  big¬ 
ger  players  such  as  AT&T  and 
Sawis  Communications,  (which 
through  a  series  of  acquisitions 
owns  CDN  firm  Digital  Island), 
Akamai  executives  say.  In  addi¬ 
tion,  it  puts  an  end  to  drawn-out 
legal  squabbling  between  the 
two  firms  since  all  litigation  is 
stayed  as  a  result  of  the  merger 


agreement. 

“By  the  standards  of  business 
actions,  it  really  makes  a  lot  of 

sense _ It’s  a  simple,  face-value 

good  deal,”  says  Peter  Christy  co¬ 
founder  of  NetsEdge  Research 
Group.  “But  if  you  read  between 
the  lines,  there  were  a  bunch  of 
legal  actions  that  were  about  to 
reach  some  serious  event.  ... 
There  was  a  call  to  action,  there 
was  a  reason  this  happened  now, 
otherwise  the  barrel  was  going  to 
go  over  the  waterfall.” 

The  acquisition  appears  to  be  a 
good  deal  for  Akamai,  which 
eliminates  a  primary  competitor 
and  gains  access  to  some  350 
companies,  as  well  as  a  presence 
in  India.  Speedera  last  fall 
opened  operations  in  Bangalore, 
and  has  50  of  its  125  employees 
there,  says  Ajit  Gupta,  Speedera’s 
president,  CEO  and  founder. 

What  the  deal  means  to  cus¬ 
tomers  is  less  clear. 


Playing  nice 


After  years  of  battling  it  out,  content  delivery  specialists  Akamai  and  Speedera  are 
joining  forces.  A  look  at  the  two  firms: 


Year  founded 
Number  of  customers 

Size  of  overlay  network 

Sampling  of  services 


Akamai 

1998,  IPO  in  1999. 

More  than  1,300,  including  FedEx, Toyota 
and  the  Department  of  Defense. 

14,000  edge  servers  in  1,100  networks 
in  more  than  65  countries. 

On-demand  hosting  services,  business 
continuity,  site  security  and  dynamic 
application  delivery. 


Speedera 

1999,  private  company. 

350,  including  HP,  Lowes  and  NASA. 

Edge  servers  with  connection  to  more 
than  1,000  networks. 

Support  for  eCommerce,  site  security, 
business  continuity  and  distributed 
application  delivery. 


“It’s  good  for  [the  companies]. 
It’s  just  simple  consolidation.  It’s 
less  good  for  us  customers  in  that 
it  takes  away  a  competitive 
option,  reducing  our  leverage,” 
says  an  Akamai  customer  who 
asked  not  to  be  named.“Speedera 
was  an  important  alternative  sup¬ 


AT&Ts  Treasury  deal  in  doubt 

Federal  overseers  say  bid  should  be  reopened  after  upholding  protests. 


■  BY  CAROLYN  DUFFY  MARSAN 

The  Government  Accountability  Office  last  week 
ruled  that  the  Department  of  the  Treasury  should 
reopen  negotiations  for  a  $1  billion  telecommuni¬ 
cations  contract  that  the  agency  awarded  to  AT&T  in 
December. 

The  GAO  sustained  five  protests  filed  by  other 
bidders  on  the  Treasury  Communications  Enter¬ 
prise  (TCE)  contract.  Broadwing  Communications, 
Level  3  Communications,  MCI,  Northrup  Grumman 
Information  Technology  and  Qwest  Government 
Services  filed  the  protests.  A  seventh  bidder  on  the 
contract  —  Sprint  Communications  —  did  not  sub¬ 
mit  a  protest. 

“We  found  there  was  merit  to  the  protests,  and 
we  recommend  the  agency  reopen  its  negotia¬ 
tions,”  a  GAO  official  said.  “Treasury  didn’t  have 
discussions  with  all  the  bidders,  and  we’re  telling 
them  to  do  that.” 

The  GAO  received  an  administrative  report  from 
the  Treasury  Department  and  held  a  hearing  on  the 
five  protests  before  making  its  decision.  Because  the 
TCE  bids  involve  trade  secrets  and  proprietary  infor¬ 
mation,  the  GAO  decision  was  issued  under  a  pro¬ 
tective  order.  However,  the  GAO  official  said  a 
redacted  version  of  its  findings  will  be  released  to 
the  public  by  this  week. 

AT&T  insists  it  will  overcome  the  setback. 

“We’re  disappointed  in  the  GAO’s  decision  but  we 
fully  intend  to  compete  vigorously  to  retain  this 
award  as  the  Treasury  Department  amends  it  and 
collects  additional  information  from  bidders,”  said 
Lou  Addeo,  president  of  AT&T  Government  Solu¬ 
tions  in  a  statement.“We  strongly  believe  we  submit¬ 
ted  far  and  away  a  superior  solution  to  Treasury’s 


networking  needs,  and  we  look  forward  to  making 
our  case  again  to  Treasury’ 

The  TCE  contract  would  provide  telecommunica¬ 
tions  services  and  support  to  more  than  1,000 
domestic  locations  and  tens  of  thousands  of  agency 
users  in  the  U.S.  and  overseas.  The  Treasury  Depart¬ 
ment  includes  the  Internal  Revenue  Service,  the  U.S. 
Mint  and  the  Comptroller  of  the  Currency  among  its 
bureaus. 

The  TCE  contract  calls  for  three  base  years  and 
seven  one-year  options,  and  its  value  is  estimated  as 
high  as  $1  billion. 

AT&T  Government  Solutions  planned  to  build  a 
secure,  high-speed  IP  VPN  to  handle  Treasury’s  voice, 
video  and  data  traffic.  AT&T’s  team  for  the  TCE  bid 
included  Accenture,  BAE  Systems  and  Lucent. 

“We  definitely  plan  to  rebid  TCE,”  says  Jerry 
Edgerton, senior  vice  president  of  MCI’s  Government 
Markets  Division.  Edgerton  says  TCE  is  one  of  the 
biggest  telecommunications  procurements  under¬ 
way  in  the  federal  government  market,  and  it  is 
among  MCI’s  top  priorities  this  year.  ■ 


Corrections 


■  The  story  "Offshoring  closer  to  home"  (March 
1 14,  page  25)  should  have  stated  that  Wayne 
|  Gudbranson  is  president  and  GEO  at  IT  research  and 
|  consulting  firm  Branham  Group. 

|  ■  The  story  "Wyse  CEO  touts  software  initiative" 
(March  14,  page  21)  should  have  listed  Garnett  & 

I  Helfrich  on  second  reference  as  G&H. 


plier.  But  that  said,  in  general 
Akamai  has  been  a  good  partner 
to  us,  and  we’ll  probably  see 
some  benefit  from  their  in¬ 
creased  size  and  scale.” 

“Whether  it’s  good  news  in  a 
general  sense  for  the  CDN  mar¬ 
ket,  that’s  harder  to  say  and  a  little 
more  doubtful,”  says  Lydia  Leong, 
principal  analyst  at  Gartner.  “It’s 
removing  a  competitor  and  turn¬ 
ing  Akamai  into  even  more  of  a 
powerhouse  than  it  has  been  in 
the  past.” 

That  could  result  in  more  ex¬ 
pensive  services  overall,  Leong 
points  out.  While  smaller  players, 
including  Mirror  Image,  Netli  and 
Limelight  Networks,  remain,  the 
bulk  of  the  CDN  business  has 
been  going  to  Akamai  and 
Speedera  for  some  time. 

On  the  other  hand,  taking  some 
of  the  cutthroat  competition  out 
of  the  market  might  be  a  good 
thing,  analysts  say 

For  years,  the  CDN  market  has 
been  mired  in  legal  battles,  not 
the  least  of  which  has  been  the 
back-and-forth  between  Akamai 
and  Speedera.  The  two,  which 
defined  the  CDN  market  when 
they  were  launched  just  one  year 
apart  in  the  late  1990s,  have  been 
archenemies  in  and  out  of  the 
courtroom. 

Speedera  has  billed  itself  as  a 
lower-cost  alternative  to  Akamai. 
In  2002,  when  Akamai  initially 
sued  Speedera,  claiming  the  com¬ 
pany’s  CDN  services  infringed  on 
Akamai  patents,  Speedera  had  a 
promotion  running  on  its  Web 
site  in  an  effort  to  lure  Akamai 
customers  to  its  service.  At  that 
time,  Akamai  also  accused 
Speedera  of  unfair  competition, 
and  later  that  year  filed  a  lawsuit 
accusing  Speedera  CTO  Richard 
Day  of  breaking  into  a  protected 
Akamai  database. 

“It’s  almost  like  the  Capulets 


and  Montagues  have  kissed  and 
made  up,”  says  Counse  Broders, 
principal  analyst  for  Internet 
and  managed  services  at 
Current  Analysis.  “They  have 
been  such  major  rivals.  .  . .  But 
they’re  getting  rid  of  those  pesky 
lawsuit  issues.  It  lets  them  focus 
now  on  the  bigger  market  and 
not  have  to  worry  about  their 
next  court  case." 

Despite  the  constant  bickering, 
both  companies  have  had  recent 
success. 

In  February  Akamai  reported 
what  CEO  George  Conrades 
termed  the  best  financial  results 
in  the  company’s  history,  with  full- 
year  net  income  of  $34.4  million 
in  2004,  compared  with  a  net  loss 
of  $29.3  million  the  year  earlier. 

As  for  Speedera,  which  be¬ 
came  profitable  in  2003,  it  re¬ 
ported  revenue  for  the  second 
quarter  of  $8.28  million,  up  by 
half  when  compared  with  the 
same  quarter  a  year  ago.  The 
company  says  its  net  income 
tripled  when  compared  with 
the  second  quarter  of  2003. 

Part  of  the  reason  for  the  rev¬ 
enue  growth  is  that  both  compa¬ 
nies  have  been  rolling  out  more 
sophisticated  services.  For  exam¬ 
ple,  Speedera  last  month  intro¬ 
duced  FlexComputing  to  host  en¬ 
terprise  applications  and  acceler¬ 
ate  their  delivery 

Akamai  also  is  focusing  on 
application  acceleration  and  vir¬ 
tual  Web  hosting,  areas  that  are 
becoming  increasingly  important 
as  businesses  put  more  applica¬ 
tions  onto  the  Web.  ■ 


Servers 
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Vendors  target  Web  services/SOA  mix 


■  BY  JOHN  FONTANA 

Iona  Technologies  and  Reactivity  this 
week  are  scheduled  to  unveil  their  latest  in¬ 
frastructure  technology  aimed  at  helping 
users  build  service-oriented  architectures. 

Iona  plans  to  release  Artix  3.0,  which 
adds  real-time  upgrade  features,  integration 
with  corporate  development  tools,  failover 
capabilities  and  support  for  emerging  Web 
services  standards  for  transactions. 

Separately  Reactivity  is  set  to  unveil  an 
appliance  it  calls  SOA  Gateway  which  is 
designed  to  provide  security  and  connec¬ 
tion  to  legacy  applications  for  users 
deploying  Web  services  in  and  among  cor¬ 
porate  data  centers.  The  gateway  for  use 
internally  is  being  paired  with  Reactivity’s 
XML  Security  Gateway  which  is  designed  to 
run  on  the  edge  of  corporate  networks. 

Interest  in  the  concept  of  SOA  has  grown 
over  the  past  year  as  companies  find  suc¬ 
cess  with  initial  Web  services  projects 
focused  on  point-to-point  integration.  Now 
they  want  to  fit  those  Web  services  into  an 
SOA  but  find  they  are  missing  needed  tools 


and  infrastructure,  according  to  experts. 

“What  users  are  finding  out  is  that  the  the¬ 
ory  of  an  SOA  is  more  attractive  than  the 
reality  says  Shawn  Willett,  an  analyst  with 
Current  Analysis.“The  nitty-gritty  is  that  you 
need  to  accommodate  a  lot  of  ways  to  get 
at  information  and  ways  to  pass  transac¬ 
tions  that  are  not  covered  by  today’s  Web 
services  standards.  People  are  realizing  that 
and  trying  to  accommodate  that.” 

Willett  says  users  are  finding  that  the  def¬ 
inition  of  a  standard  is  not  clean  and  tidy 
and  that  simple  request  and  response  sorts 
of  services  don’t  substitute  for  transaction¬ 
al  integrity“lt  is  hard  to  fit  that  into  Web  ser¬ 
vices  the  way  the  standards  are  written 
right  now?  he  says.“So  users  have  to  be  flex¬ 
ible  in  their  definition  of  service  in  order  to 
build  an  SOA.” 

Iona  is  trying  to  provide  some  of  that  flex¬ 
ibility  with  Artix  3.0,  which  runs  within  the 
services  and  is  not  installed  as  a  hub  in  the 
network.  Artix  uses  plug-ins  to  legacy  trans¬ 
action  platforms  and  applications  that  help 
expose  those  systems  as  services  with  sup¬ 
port  for  a  wide  range  of  protocols,  trans¬ 


ports,  data  models  and  security  standards. 
New  in  Version  3.0  is  an  extension  that  lets 
users  upgrade  services  without  having  to 
take  them  down.  Iona  also  has  added  sup¬ 
port  for  the  Eclipse  development  environ¬ 
ment  and  Visual  Studio  .Net  so  developers 
can  use  familiar  tools  when  building  new 
services  that  incorporate  Artix. 

“It’s  like  application  server  clustering 
without  the  application  server?  says  Eric 
Newcomer,  CTO  for  Iona,  which  competes 
with  Sonic,  webMethods  and  Actional. 

The  Artix  3.0  is  slated  to  cost  $10,000  per 
CPU. 

Reactivity’s  angle  is  a  set  of  appliances  to 
boost  the  performance  and  secure  com¬ 
munications  within  an  SOA,  especially  in 
the  data  center,  where  SOA  Gateway  is 
focused. 

“In  the  data  center,  you  have  a  higher 
level  of  transaction  rates  so  there  are  larger 
numbers  of  interactions  that  occur,  and 
there  is  a  much  higher  emphasis  on  identi¬ 
ty  and  access  control,”  says  Andrew  Nash, 
CTO  of  Reactivity 

SOA  Gateway  integrates  with  existing 


authentication  and  authorization  systems 
such  as  those  from  RSA  and  Oblix.and  acts 
as  an  access  and  policy  enforcement  point 
in  the  network.  It  also  logs  each  transac¬ 
tion.  The  gateway  includes  acceleration 
technology  to  speed  access  control  and 
policy  lookups,  and  supports  more  than 
250  XML  and  non-XML  data  formats. 

The  appliance  runs  on  top  of  Red  Hat 
Linux  and  includes  Reactivity’s  XML  Oper¬ 
ating  System.  It  competes  with  similar  pro¬ 
ducts  from  Datapower,  Sarvega  and  Forum 
Systems. 

Software  and  appliances  from  Iona  and 
Reactivity  come  on  the  heels  of  Vordel’s 
updates  earlier  this  month  to  its  Secure 
XML  Gateway  and  Director  products.  Both 
feature  a  new  XML  schema  editor  that  gen¬ 
erates  an  XML  schema  from  a  message 
based  on  Simple  Object  Access  Protocol. 
Secure  Gateway  has  been  updated  with  an 
XPath  wizard,  which  lets  users  specify  what 
parts  of  an  XML  document  must  be  signed 
and  encrypted,  and  integration  with  Web 
access  control  platforms  from  RSA. 

SOA  Gateway  costs  $65,000.  ■ 


Love 

continued  from  page  1 

world,”  jokes  Doug,  the  43-year-old  director  of  IS  for  Katsur 
Management  in  Orlando. 

That’s  one  of  the  downsides  to  being  network  managers 
in  love  —  both  partners  are  always  on  call.This  can 
mean  priorities  at  home  take  a  back  seat;  the  dog  doesn’t 
get  walked,  the  school  play  is  missed,  an  algebra  assign¬ 
ment  is  done  behind  a  server  rack. 

Life’s  no  easier  for  Jeff  and  Andrea  Westerinen,  a  pair  of 
product  developers  who  both  work  for  technology  com¬ 
panies.  When  laundry  doesn’t  get  done  at  the  Westerinen 
household  because  of  crazy  travel  schedules  or  long 
evenings  at  work,  Jeff,  a  48-year-old  architect  at  Microsoft, 
suggests  the  family  just  buy  new  underwear.  His  wife, 
Andrea,  an  architect  at  Cisco,  doesn’t  react  quite  as 
breezily  “When  we’re  really  busy  who  worries  about  din¬ 
ner  and  the  laundry?”  asks  Andrea,  also  48.“That’s  proba¬ 
bly  my  domain.” 

It’s  not  that  demanding  travel  and  long  hours  are 
unique  to  technology  professionals,  but  Andrea  feels  this 
industry  puts  more  pressure  on  employees  than  most. 
“You’re  expected  to  be  on  e-mail,  to  be  accessible,  to  do 
your  phone  calls  with  India  at  bizarre  times  of  the  day  In 
the  high-technology  business,  you  bring  your  work  home 
with  you,”  says  Andrea,  who  spends  two  weeks  a  month 
away  from  the  family’s  home  in  Seattle  at  Cisco’s  San  Jose 
office,  in  addition  to  other  travel. 

When  Andrea  and  Jeff’s  travel  schedules  collide,  the 
couple  calls  in  reinforcements.They  have  flown  in  family 
members  from  other  states  to  take  care  of  their  1 1-year- 
old  daughter  when  they’re  both  on  the  road,  and  often 
rely  on  neighborhood  kids  to  feed  their  pet  snake,  tortoise 
and  fish  when  they’re  working  late  and  their  daughter  is 
staying  with  a  friend. 

Most  frustrating  for  her  is  when  travel  makes  her  miss  her 
daughter’s  concerts.’That’s  the  worst,”  she  says, “when  you 
feel  maybe  the  industry  is  costing  you  too  much.” 

Family  vacations  at  Comdex? 

The  Chicks,  who  occasionally  attend  industry  confer- 


Andrea  and  Jeff  Westerinen  call  on  extended  family  and  neigh¬ 
bors  to  help  with  childcare  and  pet  feedings. 


ences  together,  have  been  known  to  bring  their  daughter 
to  local  events,  but  have  stopped  short  of  turning  work- 
related  travel  into  family  travel.“I  don’t  think  our  daughter 
would  be  too  happy  if  we  announced  that  this  year’s  fam¬ 
ily  vacation  was  going  to  be  at  Comdex,”  says  Ellen  Chick, 
a  network  engineer  with  a  network  consulting  company 
also  in  Orlando. 

Managing  home  life  can  be  particularly  challenging 
when  both  partners  begin  the  second  part  of  their  work¬ 
day  after  dinner.  Such  is  the  case  for  Lakshmi  Sailaja,a 
senior  consultant  with  software  development  outsourcer 
Sierra  Atlantic,  and  her  husband,  Balaji  Gangishetty  who  is 
a  principal  consultant  with  the  same  company  The  cou¬ 
ple  met  at  Sierra  Atlantic’s  Indian  office  in  Hyderabad 
and  two  years  ago  moved  to  Fremont,  Calif.,  to  work  for 
the  company’s  U.S.  operations. 

Both  need  to  be  in  contact  with  the  company’s  Indian 
office  multiple  times  a  week,  which  because  of  the  time 
difference  means  calling  overseas  at  about  10  p.m.Tm 
sitting  in  one  room  of  the  house  on  the  phone,  and  she’s 
sitting  in  another  room  on  the  phone,”  Gangishetty  says. 


“Some  days  you  get  into  calls  that  go  until  12  at  night . . . 
you  come  out  of  the  call,  and  your  mind  is  still  on  it  for 
the  next  half  an  hour? 

The  couple  has  set  a  few  basic  rules  to  keep  work  from 
swallowing  up  their  lives:  no  talking  about  work  over  din¬ 
ner  and  no  working  on  the  weekends. 

Allowing  for  work-related  chatter  at  home  can  be  both 
good  and  bad, says  Ellen  Chick.“There  have  been  times 
when  [Doug]  has  been  telling  me  about  a  particularly 
frustrating  encounter  with  an  end  user,  and  I  find  myself 
living  it  and  getting  frustrated  too,”  she  says.“Sometimes 
it’s  like, ‘I’ve  already  lived  one  day  at  work,  I  really  don’t 
want  to  come  home  and  live  another  one.’” 

But  it  also  means  partners  can  vent  without  having  to 
provide  context.“Let’s  face  it,  any  IT  person  coming 
home  to  a  non-IT  person  is  not  going  to  get  to  have  a 
30-minute  conversation  about  the  new  server  they  just 
racked,”  Ellen  says. 

“It  is  fantastic  to  have  someone  with  enough  common¬ 
ality  in  the  type  of  work  I  do  that  she  can  understand  and 
relate  to  the  situations  and  problems  I  encounter  at 
work,”  echoes  Jeff  Westerinen  about  Andrea. 

But  the  Westerinens  also  know  what  it  means  to  be  too 
close  to  their  spouse’s  job;  they  worked  together  at  IBM, 
NCR,  Intel  and  Microsoft  before  Andrea  was  hired  by 
Cisco. 

“Then  it  was  harder  to  talk  about  work.  It’s  hard  when 
your  spouse  likes  somebody  and  you  hate  them,”  says 
Andrea,  who  has  vowed  to  never  work  for  the  same 
company  as  her  husband  again.“It  got  almost  incestu¬ 
ous:  You  couldn’t  vent  to  the  other  person  because  they 
knew  the  situation." 

So  after  a  long  day  at  work,  who  fixes  the  home  net¬ 
work  when  it’s  on  the  fritz?  “Somehow  I’m  always  the 
one  playing  IT  administrator  when  things  go  wrong  with 
the  [home]  network  or  computers,  which  I  absolutely 
hate,”  Jeff  Westerinen  says. 

Leaving  management  of  the  home  network  to  her  hus¬ 
band  is  one  of  the  secrets  to  limiting  arguments,  Ellen 
Chick  says.“Having  two  people  manage  the  same  net¬ 
work  is  like  two  people  cooking  the  same  meal ...  in 
one  pot ...  in  a  camper?  she  says.“I  don’t  mess  with  it.”B 
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QUESTION:  IS  SWITCHING  FROM  THE  STATUS  QUO 
A  STICKY  SUBJECT  INSIDE  YOUR  ENTERPRISE? 
READ  ON,  THEN  LEAD  AN  ENTERPRISE-WIDE 
CHANGE  FOR  THE  BETTER. 


Simply  Juniper  your  net  and  change  complex  legacy  configurations  into 
clean-slate  convenience.  Our  comprehensive  solutions  deliver  unprecedented 
heights  of  speed,  unbelievable  depth  of  processing,  unsurpassed  security. 


►  LEADING  THE  WAY  WITH  SECURE,  ASSURED  NETWORKING,  ONLY  JUNIPER. 

Security,  with  assured  performance.  Juniper’s  promise,  and  a  unique,  industry-altering 
brand  of  networking.  Secure  &  Assured  Networking  is  application-driven:  End-to-end 
network  control,  with  guaranteed  application  delivery  and  performance  -  network  wide. 
It’s  ceaseless  security  assessment:  Deep  inspection  firewalls,  Intrusion  Detection 
and  Prevention,  as  well  as  application-aware  remote  access  SSL  VPNs.  It’s  certain 
performance:  Predictability  through  high-availability  and  platform  stability  -  all  via 
scalable  platforms.  Just  because  users  have  access  doesn’t  mean  they  should 
have  the  run  of  your  resources  -  that’s  Secure  &  Assured  Networking. 

Juniper  means  security  and  assurance  legacy  players  can’t  emulate,  only  envy. 
Because  it’s  impossible  to  bolt  onto  their  antiquated  hardware  what’s  built  into  our 
innovative  software.  Juniper  architecture  creates  incredibly  scalable  solutions,  helping 
eliminate  downtime,  upgrades  and  workarounds  while  improving  speed,  reliability 
and  performance.  That’s  how  a  Juniper  network  thrives  in  the  most  demanding 
conditions,  allowing  customers  to  build  and  run  networks  in  the  harshest,  most 
competitive  environments  -  so  forge  ahead  and  fear  not. 
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888-JUNIPER  (888-586-4737) 


www.juniper.net 


Juniper’s  carrier-class  performance,  intelligence  and  security  -  once  available  only 
to  SPs  -  is  here  for  your  enterprise.  That’s  why  we’re  the  recognized  leader,  and 
the  preferred  brand  of  mission-critical,  industry-defining  entities.  Trusted  by 
the  largest  firms  on  Wall  Street,  the  leading  enterprises  demanding 
perfect  performance,  the  most  vigilant  government  agencies  on 
worldwide  watch  to,  count  'em,  25  of  the  top  25  service  providers. 


LEAD  THE  WAY,  WITH  JUNIPER 

Need  more  help  convincing  your  enterprise  to  leave 
the  status  quo?  Get  insightful  case  studies  and  white 
papers,  clear  competitive  advantages  and  the 
networking  news  you  need.  And  get  it  here: 

http://www.juniper.net/solutions/literature/ 
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K-1 2  schools  fight  to  stymie  kid  hackers 


■  BY  ELLEN  MESSMER 

It’s  enough  to  make  you  long  for 
the  days  of  spitballs  in  the  class¬ 
room.  When  todays  K-1 2  students 
act  up,  they  increasingly  are  going 
high-tech  by  using  the  school’s 
network  to  launch  denial-of-ser- 
vice  attacks,  sending  harassing 
e-mails  or  breaking  into  databases 
to  try  to  change  their  records. 

With  public  schools  now  widely 
equipped  with  LANs  and  high¬ 
speed  Internet  access,  IT  adminis¬ 
trators  have  to  cope  with  students 
who  run  amok  in  many  ways. 
Some  infractions,  such  as 
attempts  to  get  to  pornography 
sites,  might  force  administrators 
to  temporarily  yank  a  child’s  net¬ 
work  access  as  punishment.  But 
some  types  of  incidents,  such  as 
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hacking  and  e-mail  threats,  even 
end  up  with  students  being 
booted  out  of  school  or  in  trouble 
with  the  law. 

“The  main  problems  start  devel¬ 
oping  around  7th  or  8th  grade,” 
says  Lee  Sleeper,  technology 
manager  at  Bullard  Independent 
School  District  in  Texas,  which 
has  1,650  students  who  get  a 
password  and  account  to  access 
a  multi-Gigabit  fiber  network  and 
the  Internet.  Each  8th-  to  12th- 
grader  also  gets  an  e-mail 
account. 

The  network  troublemakers  — 
perhaps  5%  of  the  older  students 
—  are  often  bright  but  have  fall¬ 
en  sway  to  the  notion  that  net¬ 
work  misbehavior,  especially 
hacking,  is  “cool,”  Sleeper  says. 
“I’m  trying  to  identify  the  ‘little 
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darlins’  who  are  so  creative  and 
get  them  on  my  side.” 

Like  most  school  districts  in 
the  country,  Bullard  uses  Web¬ 
filtering  software  to  block 
access  to  inappropriate  Web 
sites,  whether  it  be  pornogra¬ 
phy,  games  or  hate  sites. 

Students  and  parents  are 
asked  each  year  to  sign  an 
acceptable-use  policy,  which 
states  that  the  student  won’t 
wrongfully  exploit  the  network. 
According  to  the  Department  of 
Education,  which  last  month 
released  statistics  about  K-12 
networks  in  a  report,  83%  of 
schools  had  such  contracts. 

The  Department  of  Education 
notes  48%  of  public  schools  also 
let  students  access  the  Internet 
outside  of  regular  school  hours. 

But  just  because  the  Bullard  dis¬ 
trict’s  students  sign  the  accept¬ 
able-use  policy  doesn’t  mean  all’s 
quiet  on  the  network  front. 

Students  still  try  forbidden 
searches.  One  case  Sleeper  is  try¬ 
ing  to  sort  out  concerns  a  high 
school  girl  who  says  she  didn’t  try 
to  access  porn  sites  —  that  some¬ 
one  stole  her  password.  Usually 
the  punishment  would  be  tem¬ 
porarily  disabling  the  transgres¬ 
sor’s  account  after  consulting 
with  teachers  and  other  staff,  but 
stolen  password  allegations  make 
resolving  these  incidents  far 
more  difficult. 

Upping  the  ante 

Network  hijinks  get  worse. 

“A  neighboring  school  district 
had  a  student  who  miraculously 
had  no  absences,”  Sleeper  says. 
This  prompted  suspicion  among 
school  staff.  It  turned  out  the  stu¬ 
dent  appropriated  a  clerical 
account  and  changed  the  school 
records.  The  case  led  to  criminal 
charges. 

Sleeper  says  schools  have  to 
teach  responsibility  and  ethics  in 
technology  use  and  offer  the 
tools  of  the  modern  world,  but  in 
every  generation,  there  are  times 
when  “the  whole  interest  in  life  is 
in  circumventing  the  system.” 

Philip  Scrivano,  management 
analyst  at  the  Bakersfield,  Calif., 
Fiscal  Crisis  &  Management  Assis¬ 
tance  Team  (FCMAT),  agrees.  His 
organization  gets  state  funding  to 
assist  California  schools  through 
various  troubles,  including  net¬ 
work-related  ones. 

“There  is  the  sub-culture  of 
coolness  in”  inappropriate  net¬ 
work  behavior,  he  says.  “Kids  will 
play  around,  especially  junior 


high  school  boys.” 

Scrivano  says  that  in  his  role  as 
adviser,  he’s  seen  three  students 
expelled  for  installing  a  keylog- 
ger  on  the  teacher’s  PC  and 
changing  grades.  He’s  also  seen 
students  expelled  for  breaking 
into  servers.  While  school  staff 
want  to  temper  justice  with 
mercy  the  situation  is  simply  that 
some  troublemakers  are  spend¬ 
ing  inordinate  amounts  of  time 
planning  break-ins  —  sometimes 
50  to  100  hours  for  one  attack. 

The  hard  part  is  making  teen¬ 
agers  understand  that  what 
they’re  doing  is  a  crime.  Andy 
Prestage,  another  management 
analyst  at  FCMAT,  says  children 
sometimes  brag  to  the  media 
about  what  they’ve  done  —  and 
the  outcome  is  they  get  arrested. 
Some  serve  jail  time  or  get  fined. 
FCMAT  itself  provides  both  legal 
and  computer  forensics  support 
to  California  schools. 

Taking  countermeasures 

In  the  Palm  Springs  Unified 
School  District  in  California, 
which  has  22,000  students  and 
28  sites,  students  trying  to  hack 
into  school  records  caused 
enough  problems  that  the  dis¬ 
trict  installed  an  intrusion-pre¬ 
vention  system  from  McAfee, 
says  Rick  Corl,  director  of  tech¬ 
nical  services  for  the  school 
district. 

“We  had  students  hacking  into 
our  information  systems  from 
other  school  districts,”  Corl  says. 
Some  students  also  launch  DoS 
attacks  on  the  school’s  domain 
name,  he  says. 

In  the  Bryan  County  Ga., system 
—  which  has  nine  schools  and 
6,000  students  who  have  T-3 
access  to  the  Internet  - —  the 
daily  battle  that  network  admin¬ 
istrators  fight  is  preventing  game 
and  music  downloads  while 
striving  not  to  block  the  passage 
of  educational  files  by  teachers. 

But  one  incident  —  where  a 
teacher  was  mailed  suggestive 
and  threatening  e-mail  —  forced 
the  IT  department  to  work  with 
Georgia  law  enforcement  and  a 
local  ISP  to  track  down  the 
source,  says  Technology  Director 
Jay  Meeks. 

The  e-mail  turned  out  to  be 
from  a  student’s  home  computer. 
Because  the  child  admitted  what 
he  did,  the  school  took  correc¬ 
tional  action,  which  largely  foc¬ 
used  on  counseling.  “But  if  the 
child  hadn’t  admitted  what  he 
did,  it  would  have  been  a  differ- 


School  safety 

With  the  percentage  of 
schools  outfitted  with 
broadband  Internet 
access  on  the  rise . . . 
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ent  outcome,”  Meeks  says. 

At  the  very  least,  students  are 
punished  for  violating  accept¬ 
able-use  policies  by  having  their 
network  access  yanked.  That’s 
getting  harder  to  do  since  teach¬ 
ing,  learning  and  doing  research 
in  American  schools  is  more  and 
more  coupled  with  networks. 

“We’ve  had  students’  network 
privileges  or  computer  removed 
for  the  school  year;’  says  Becki 
King,  technology  coordinator  for 
the  Northern  Community  Schools 
of  Tipton  County  Ind.,  which  has 
1,000  students.  “But  that  makes  it 
harder  for  them  to  do  their 
schoolwork.” 

IT  administrators  say  they  don’t 
like  being  cast  in  a  Big  Brother- 
role  on  school  networks,  but  the 
primary  focus  is  on  safety. 

“We  worry  about  a  lot  of  things, 
including  outsiders  getting  into 
the  network,”  Sleeper  says.  The 
worry  about  chat-room  contact; 
becoming  dangerous  to  students 
means  that  the  school  district 
doesn’t  permit  chat  and  block 
access  to  it.  ■ 
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Have  you  overhauled  your  network  and 
realized  a  substantial  ROI,  discovered 
a  significant  new  business  opportunity  or 
found  a  creative  way  to  leverage  technology? 

If  so,  get  in  the  running  for  Network  World’s  new  Renovator 
Award,  the  top  winners  of  which  will  be  honored  at  a 
celebration  in  Las  Vegas  during  the  NetWorld+Interop 
conference,  May  3-5. 

Entries  will  be  judged  by  a  panel  of  Network  World  editors, 
columnists  and  industry  experts.  Winners  will  be  presented 
an  award  at  the  celebration  and  profiled  in  a  subsequent 
Network  World  story. 

Stand  up  and  be  counted. 


Enter  today  at  www.nwfuslon.com/renovator2005.html, 
DocFinder:  5951. 

All  entries  must  be  received  by  March  28,  2005. 
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New  IETF  chief:  Our  work’s  still  cool 


Brian  Carpenter,  a  distinguished  engi¬ 
neer  with  IBM,  has  taken  over  as  chair  of 
the  IETF;  the  Internet’s  foremost  stan- 
dards-setting  body.  Carpenter  is  the  sixth 
person  to  chair  the  IETF  since  its  found¬ 
ing  in  1986.  NetworkWorld  Senior  Editor 
Carolyn  Duffy  Marsan  had  an  exclusive 
intewiew  with  Carpenter  at  the  group’s 
recent  meeting  in  Minneapolis.  Here  are 
excerpts  from  their  conversation: 

What  is  your  role  at  IBM? 

1  handle  internal  coordination  regarding  the  iETFI’m  also 
working  on  product  development  strategy  for  networking.The 
IETF  chair  is  a  full-time  job,  but  I  am  keeping  a  few  customer 
projects.  I  don’t  want  to  be  too  removed  from  reality 

What  do  you  hope  to  accomplish  as  IETF  chair? 

My  first  goal  is  an  internal  goal  for  the  IETF  but  I  would  like 
to  get  the  Internet  Engineering  Steering  Group  into  a  position 
of  steering  and  not  just  processing  documents.  I  would  like  the 
members  of  the  steering  group  to  get  into  more  strategic 
issues  of  where  we  should  be  going  in  the  future.  Second,  I 
want  to  improve  our  liaison  relationships  with  other  standards 
bodies,  including  the  International  Telecommunication  Union, 
the  Third  Generation  Partnership  Project  and  the  Open  Mobile 
Alliance.  1  want  these  relationships  to  work  in  both  ways. 

What  is  the  most  important  technical  work  going  on  in  the  IETF  right 
now  and  why? 

I  still  believe  that  getting  IPv6  deployed  is  very  important.  I 
think  the  people  who  say  we  can  go  on  with  IPv4  are  strategi¬ 
cally  wrong.  Second,  I  think  we  have  work  to  do  in  the  security 
area. There  is  still  more  work  to  be  done  to  have  an  overall 
security  model. The  other  important  work  is  [Session  Initiation 
Protocol]  and  everything  that  goes  with  SIP  This  is  where  the 
liaison  issue  with  the  ITU  comes  up  because  we’ll  be  using 
SIP  to  run  regular  telecommunications  services  over  the 
Internet. 

What  will  you  do  as  IETF  chair  to  promote  IPv6? 

The  IETF’s  main  job  on  IPv6  is  done,  and  it  is  now  shipping  in 
major  operating  systems.  It’s  now  a  deployment  issue,  not  a 
development  issue. The  IETF  needs  to  keep  saying  that  IPv6  is  a 
strategic  technology  and  that  it’s  ready  There  is  already  strong 
commitment  by  the  U.S.  Department  of  Defense,  China  and  the 
3G  [Partnership  Project]  to  IPv6.  A  small  or  medium-sized  busi¬ 
ness  probably  has  no  urgent  need  for  IPv6.  But  for  the  enterpris¬ 
es,  sooner  or  later  they  will  notice  that  all  their  operating  sys¬ 
tems  and  routers  can  do  IPv6.Then  they’ll  notice  that  it’s  not  a 
big  capital  expense  to  move  to  IPv6.  But  it  may  be  a  big  deal 
operationally 

Many  IETF  working  groups  are  behind  schedule.  What  will  you  do  to 
encourage  them  to  wrap  up  their  work? 

There’s  no  single  answer.  When  you  dig  into  why  something 
is  moving  slowly,  it  might  be  pure  sociology  as  in  the  working 
group  dynamics  or  it  could  be  a  patent  issue  or  a  general 
technical  difficulty  or  there  could  be  something  wrong  with 
our  processes.  Other  standards  bodies  meet  their  deadlines 
but  they  put  out  documents  with  certain  items  still  open  for 
study  These  documents  aren’t  usable  by  implementers.We 
don’t  do  that.  It  can  be  frustrating  for  other  organizations,  but  it 
has  always  been  the  IETF  practice  to  wait  until  we  have  a  stan¬ 
dard  that  can  be  implemented. 


What  concerns  you  most  about  the  health  of  the  Internet  infra¬ 
structure? 

Where  [Multi-protocol  Label  Switching]  and  [Generalized 
MPLS]  go  are  clearly  a  matter  of  concern.  We  still  have  security 
issues  at  the  infrastructure  level,  including  securing  [Border 
Gateway  Protocol] .  Internationalization  is  also  a  very  interest¬ 
ing  issue  because  it’s  a  matter  of  great  interest  to  the  users.  But 
it’s  a  matter  of  very  little  interest  to  some  of  the  technical  peo¬ 
ple  because  they  view  it  as  a  presentation-layer  issue. 

There  is  a  perception  that  more  of  the  cutting-edge  standards  work 
is  going  to  other  groups,  such  as  the  Organization  for  the 
Advancement  of  Structured  Information  Standards  and  the  Liberty 
Project.  Is  the  IETF  losing  the  cool  work  to  rival  standards  bodies? 

It’s  clear  that  one  of  the  things  we  need  to  do  is  understand 
the  scope  of  what  we  do  in  the  applications  area.  For  example, 
in  the  area  of  Web  services,  a  lot  of  standards  work  is  done  by 
the  World  Wide  Web  Consortium  and  OASIS.  I  don’t  think  that’s 
a  point  of  tension.  Everyone  agrees  that  the  IETF  is  the  mainte¬ 
nance  body  for  [Hypertext  Transfer  Protocol] ,  while  every¬ 
thing  that  runs  on  HTTP  is  at  W3C.There’s  some  virtue  in  spe¬ 
cialization  for  the  standards  bodies.  So  I  don’t  believe  we’re 
losing  the  cool  work. 

Is  the  IETF  still  the  Internet's  premier  standards-setting  body? 

Yes.  I  believe  it  is  for  infrastructure  standards.  For  Layers  3 
and  4,  we  are  the  leaders.  I  don’t  believe  that’s  in  doubt. 

Attendance  at  this  meeting  is  down,  from  a  high  of  3,000  a  few  years 
ago  to  a  little  more  than  1,000  now.  How  big  of  a  problem  is  that? 

What  I’m  hearing  is  that  things  are  working  much  better  than 
when  we  had  3,000  attendees  and  people  were  spilling  out 
into  the  hallways.  Now  the  people  who  come  to  our  meetings 
are  serious  about  the  work  we  do. 

Your  predecessor,  Harald  Alvestrand  of  Cisco,  spent  much  of  the 
past  two  years  involved  in  administrative  restructuring.  Do  you  think 
you  will,  too? 

What  I’m  hoping  is  that  we  can  fairly  expeditiously  finish 
administrative  restructuring  and  get  the  new  administrative 
oversight  committee  in  place  so  it  can  become  a  self-con¬ 
tained  entity.  I  will  still  be  concerned  about  IETF  workflow, 

IETF  processes  and  IETF  sociology.  Part  of  my  job  is  to  make 
sure  all  of  that  runs  smoothly 

The  IETF  chair  is  a  huge  job  with  no  pay  and  lots  of  hassles.  Why  take 
on  this  job? 

Partly  because  people  were  twisting  my  arm,  but  mostly 
because  I  think  it’s  important  to  grow  the  Internet  for  the  ben¬ 
efit  of  the  whole  world. 

AT&T,  MCI  and  Sprint  have  traditionally  been  active  participants  in 
the  IETF  but  they  are  all  undergoing  mergers.  The  regional  carriers 
-  SBC,  Verizon  and  Qwest  -  have  not  been  as  active  in  the  IETF.  Will 
ISP  consolidation  hurt  the  IETF? 

That’s  a  hard  question.  Larger  companies  tend  to  move  more 
slowly  to  new  technology,  but  when  they  move  they  really 
throw  their  weight  around. The  question  is  when  these  carriers 
will  need  to  upgrade.The  smaller  carriers  have  tended  to  be 
end  users  rather  than  innovators  in  the  technology  Once  the 
acquisitions  shake  down,  I  can’t  see  how  they  won’t  be  inter¬ 
ested  in  new  technologies.  ■ 


See  how  the  IETF  is  approaching  communication  over 
the  Internet  in  the  event  of  emergencies.  PAGE  63. 
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A  lot  of  products  claim  to  reduce  the  complexity  and  cost  of  enterprise 
backup.  But  one  actually  delivers — the  Scalar ®  i2000,  part  of  the  growing 
iPlatform™  family  from  ADIC,  the  leading  provider  of  tape  libraries  for 
open-systems  backup.  * 

Embedded  intelligence.  The  Scalar  i2000  is  the  first  library  to  integrate 
advanced  management  functions — proactive  monitoring,  built-in  partitioning, 
automated  diagnostics,  and  I/O  management — so  it  delivers  faster  and  more 
reliable  backup  and  uses  less  of  your  budget,  time,  and  staff. 

Faster  resolution,  fewer  service  calls.  Smarter  diagnostics  and  dedicated 
service  teams  mean  fewer  interruptions  and  faster  resolution.  The  Scalar 
i2000  requires  half  the  service  calls  of  conventional  libraries.  And  the 
worldwide  ADIC  service  team  solves  problems  before  customers  see  them. 

Capacity  on  demand.  As  its  name  suggests,  the  Scalar  i2000  is  designed  to 
scale  with  your  storage  needs.  So  you  don't  have  to  worry  about  running  out 
of  space  or  paying  for  more  than  you  need. 

After  all,  you  were  hired  to  use  your  brains  for  more  important  things. 

‘Market  share  from  Gartner  Dataquest,  Tape  Automation  Systems  Market  Shares,  2003,  F.  Yale,  April  2004. 


Visit  www.adic.com/i2k  to  get  your  free  Aberdeen  Group  white  paper: 

Taking  an  Intelligent  Step  Forward  in  Tape  Backup  and  Restore. 


C6S3 


Available  through  EMC  Corporation,  your  complete  source  for  information  lifecycle 
management  solutions.  Call  your  local  ADIC  or  EMC  sales  representative  for  more  information. 


EMC2 


Intelligent  Storage 
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Copyright  2005  Advanced  Digital  Information  Corporation  (ADIC),  Redmond,  WA,  USA.  All  rights  reserved.  Created  in  USA. 
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Stage  set  for  compromise  on  IEEE  high-speed 


■  BY  JOHN  COX 

ATLANTA  — The  IEEE  task  group  charged 
with  creating  a  100M  bit/sec  wireless  LAN 


standard  has  set  the  stage  for  a  compromise 
between  the  two  remaining  factions. 

Members  of  theTGn  Sync  and  World  Wide 
Spectrum  Efficiency  (WWiSE)  organiza¬ 


tions  might  be  ready  to  negotiate  on  a  pro¬ 
posal  that  could  win  75%  of  the  votes  at  the 
next  meeting  of  802.1  In  task  group. That’s 
the  number  needed  for  a  proposal  to  be 


Satellite  communications  ruggedized  for 
remote  locations  and  harsh  environments. 

Secure  Corporate  Networking 
Digital  Telephony 
Broadband  Internet 
Real-Time  Video 

For  more  information  call  I  -888-482-0289. 


CapRock 


adopted  as  a  draft  standard.  Otherwise,  the 
group  will  take  a  step  backward  and  begin 
to  reconsider  proposals  that  had  been  elim¬ 
inated. 

The  group’s  job  is  to  create  a  WLAN  stan¬ 
dard  that  will  deliver  actual  throughput  of 
more  than  100M  bit/sec,  a  quantum  leap 
above  the  20M  bit/sec  for  today’s  802.1  lg 
and  11a  WLANs.  The  current  802.11  stan¬ 
dard  eats  up  more  than  half  of  the  54M 
bit/sec  data  rate  for  802.1  lg  and  11a.  The 
higher,  though  still  shared,  bandwidth  will 
rival  that  of  many  wired  networks  and  sup¬ 
port  demanding  applications  such  as  sever¬ 
al  video  and  audio  streams  at  once,  huge 
image  files  and  simulations. 

“Both  sides  realize  that  a  standard  has  to 
come  as  quickly  as  possible,"  says  Jack 
Winters,  chief  scientist  at  Motia,a  Pasadena, 
Calif.,  fabless  semiconductor  company 
designing  radio  chips  that  integrate  with 
smart  antennas.  Winter  is  a  member  of  the 
802.1  In  task  group  but  is  not  affiliated  with 
TGn  Sync  or  WWiSE.  “Delays  or  deadlocks 
will  result  in  both  groups  failing,”  he  says. 

Last  week  in  Atlanta,  members  of  the 
802.1  In  task  group  continued  winnowing 
proposals.They  voted  by  a  slender  majority 
in  favor  of  one  proposal  from  a  group  of 
vendors  called  TGn  Sync.  But  the  next  day 
in  the  confirmation  vote,  that  proposal  fell 
far  short  of  the  75%  majority  it  needed  to  be 
adopted  as  the  draft  802.1  In  standard. 

The  members  of  TGn  Sync  include  chip 
makers  such  as  Atheros,  Intel  and  Marvel, 
network  equipment  makers  such  as  Cisco 
and  Nortel,  and  consumer  products  com¬ 
panies  such  as  Panasonic,  Samsung  and 
Sony.  WWiSE  members  include  Airgo 
Networks,  Broadcom,  Connexant,  Motorola 
and  Texas  Instruments,  along  with  Buffalo 
Technology,  Hughes  Network  Systems, 
France  Telecom,  Nokia  and  NTT. 

Both  proposals  (details  at  www.nwfusion. 
com,  DocFinder:  6353)  make  use  of  tech¬ 
nology  called  multiple  input/multiple  out¬ 
put  (MIMO)  to  dramatically  boost  the 
amount  of  data  that  can  be  sent  over  a 
radio  connection.  MIMO-based  WLAN 
products  already  are  on  the  market  based 
on  Airgo’s  chipset,  which  is  the  only  one 
shipping  in  volume.  (See  related  story  on 
page  67.) 

“Neither  one  has  the  votes  for  75%  right 
now,  unless  there’s  an  official  compromise,” 
says  Greg  Raleigh,  CEO  of  Airgo,  and  author 
of  one  of  the  earliest  academic  papers  on 
MIMO.  “We’re  not  even  at  Draft  1.0  yet.  And 
after  that,  you  have  to  design  [a  standard] 
that  you  can  actually  build  [products]  to, 
and  interoperate." 

There  already  has  been  compromise, 
Motia’s  Winters  says,  as  both  groups  have 
made  changes  in  their  proposals.  TGn  Sync 
dropped  a  requirement  to  use  40-MHz 
channels  instead  of  the  conventional  20 
MHz;  now  the  bigger  channel  is  an  option. 
WWiSE  added  support  for  transmit  beam 
forming,  which  is  a  technique  for  boosting 
performance  by  using  antenna  arrays  that 
in  effect  focus  radio  signals.  ■ 
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Get  a  contemporary  overview  of  today's  storage  networking  issues  and  opportunities 
See  how  to  implement  and  deploy  the  latest  in  storage  networking  technologies 
Hear  the  latest  in  enterprise  security 
Learn  from  best  practices  and  case  studies 


Why  You  Should  Attend 

Are  you  responsible  for  managing  your  company's  data  center  assets?  Want  to  exchange  innovative  ideas 
and  strategies  with  other  executives  who  share  the  same  objectives?  Then  attend  Storage  Networking 
World,  where  you’ll  network  with  and  learn  from  renowned  experts  and  the  nation's  top  user  executives. 


Conference  At-a-Glance 


(subject  to  change ) 


For  details,  updates,  and  to  register  visit  www.snwusa.com/nww 


TUESDAY,  APRIL  12 


Registration  Open  1 1 :00am  -  8:30pm 


9:00am  -  9:30am 
9:30am  -  1 1 :30am 
1 1 :30am  -  1 :00pm 
1 2:00pm  -  5:00pm 
1 :00pm  -  5:25pm 


6:00pm  -  8:00pm 

WEDNESDAY,  APRIL  13 


Breakfast 

Pre-Conference  Tutorials  and  Primers 

Luncheon 

Pre-Conference  Golf  Outing 

End-User  Case  Studies;  SNIA  Voice  of  the  User  Track; 
SNIA  Technical  Tutorials  Track;  Deployable  Solutions  Track 

Welcome  Reception 


Registration  Open  7:00am  -  8:00pm 


7:1 5am  -  8:1 5am 
8:1 5am  -  8:30am 
8:30am  -  9:1 5am 


Breakfast 

Opening  Remarks 

Opening  Visionary  Presentation 

Ira  Winkler,  Security  Expert  and  Author  of  Spies  Among  Us 


9:1 5am  -  9:45am 


End-User  Case  Study 

Bob  Mathers,  Second  Vice  President,  Information  Technology 
Operations  &  Disaster  Recovery,  Guardian  Life  Insurance 


9:45am  -  1 0:1 5am 


Industry  Leader  Presentation 

Ann  Livermore,  Executive  Vice  President, 

Technology  Solutions  Group,  Hewlett-Packard  Company 


1 0:1 5am  -  1 0:30am 
1 0:30am  -  1 1 :00am 


Break 


1 1 :00am  -  1 1 :30am 


1 1 :30am  -  Noon 


End-User  Case  Study 

Bob  Eicholz,  Vice  President,  EFILM,  LLC 


Industry  Leader  Presentation 

John  Thompson,  CEO,  Symantec 


End-User  Case  Study:  The  Story  (and  Storage!) 
Behind  Kodak’s  Online  Photo  Success 

Sonja  Erickson,  Vice  President,  Technical  Operations, 
Kodak  EasyShare  Gallery 


Noon  -  1 2:45pm 


Panel  Discussion 

Moderated  by:  Jon  William  Toigo,  CEO  &  Founder, 
Toigo  Partners  International 


1 2:45pm  -  2:00pm 
2:1  Opm  -  5:40pm 


5:40pm  -  8:40pm 


Luncheon 

End-User  Case  Studies;  SNIA  Voice  of  the  User  Track; 
SNIA  Technical  Tutorials  Track;  Deployable  Solutions  Track 

Expo  with  Dinner  and  Interoperability  &  Solutions  Demo 

•  30-plus  SNIA  member  companies  collaborating  on  integrated  solutions 

•  Opportunity  to  meet  leading  experts  and  engineers 


For  more  information  and  to  register,  visit  www.snwusa.com/nww  or  call  1-800-883-9090 


For  more  information  and  to  register,  visit  www.snwusa.com/nww  or  call  1-800-883-9090 


THURSDAY,  APRIL  14 


Registration  Open  7:00am  -  6:00pm 


7:15am  -  8:15am 
8:15am  -  8:30am 
8:30am  -  9:1 5am 
9:1 5am  -  9:45am 

9:45am  -  1 0:1 5am 


Breakfast 

Opening  Remarks 

Opening  End-User  Visionary  Presentation 

■  Industry  Leader  Presentation 

Andy  Monshaw,  General  Manager,  Storage  Systems, 

IBM  Systems  and  Technology  Group 

End-User  Case  Study 

Bob  Logan,  Vice  President,  Enterprise  Infrastructure  Services,  SAIC 


10:15am  -  10:30am 
10:30am  -  1 1 :00am 


Break 


Industry  Leader  Presentation 

Jeff  Nick,  Vice  President  and  Corporate-Wide  CTO,  EMC  Corporation 


1 1 :00am  -  1 1 :30am 


End-User  Case  Study 

Sasan  Hamidi,  CSO,  Interval  International 


1 1 :30am  -  Noon 


Noon  -  1 2:45pm 


1 2:45pm  -  2:00pm 

2:1 0pm  -  5:40pm 
2:10pm  -  5:40pm 

4:00pm  -  7:00pm 

7:00pm  -  9:30pm 


■  Industry  Leader  Presentation 

1  John  Kelley,  President  and  CEO,  McData 
I 

H  End-User  Panel 

Moderated  by:  Steve  Duplessie,  Founder  &  Senior  Analyst, 
Enterprise  Strategy  Group 

Expo  with  Lunch  and  Interoperability  Demo 

W  I  DC  Storage  Analyst  Briefing 

End-User  Case  Studies;  SNIA  Voice  of  the  User  Track; 

SNIA  Technical  Tutorials  Track;  Deployable  Solutions  Track 

Expo  Open 

•  Cocktail  Reception  in  Expo  begins  at  5:30pm 

Gala  Evening  with  Awards  Ceremony,  Dinner  &  Entertainment 


FRIDAY,  APRIL  15 


Registration  Open  7:30am  -  10:00am 


7:30am  -  1 0:00am 
8:30am  -  Noon 

Noon 


Continental  Breakfast 

End-User  Case  Studies;  SNIA  Voice  of  the  User  Track; 
SNIA  Technical  Tutorials  Track;  Deployable  Solutions  Track 

Conference  Concludes 


"...  at  SNW,  you  connect 
with  folks  you  normally 
wouldn’t  meet  and 
capitalize  on  the 
serendipitous  exchange 
of  ideas  ...” 

HJohn  Seely  Brown 
former  director,  Xerox 
Palo  Alto  Research 
Center  (PARC),  and 
former  chief  scientist, 
Xerox 


“...  SNW  is  a  great  venue 
for  peer  discussion  ...  an 
opportunity  to  provide 
feedback  to  vendors  on 
what  users  need  from 
them  ...” 


VJohn  Greer 
Director, 

IT  Infrastructure, 
Pacific  Gas  &  Electric 


SNIA 

Attend  SNIA-Certified 
Training  Programs  at  SNW 

Visit  www.snwusa.com  for  more 
information. 


Pre-Conference  Golf  Outing 

Complimentary  for  Registered  IT  End-Users 


SPONSORED  BY 

Quantum 


The  Pre-Conference  Golf  Outing  at  The  Wildfire 
Golf  Club,  Faldo  Course  located  at  the  JW 
Marriott  Desert  Ridge  Resort,  is  complimentary 
($165  value)  for  registered  IT  End-Users  (other 
participants,  including  sponsors  and  vendors,  may  play  on  an  “as  avail¬ 
able”  basis  and  are  responsible  for  all  applicable  golf  outing  expenses). 


For  details  contact  Chris  Leger  at  1-508-820-8277 


Hotel  Reservations  and  Travel  Services 

Global  Odysseys  is  the  official  travel  company 
for  Storage  Networking  World.  They  are  your 
one-stop  shop  for  exclusive  discounted  rates  on 
hotel  accommodations. 

To  reserve  your  accommodations,  visit:  www.etcentral.com 
You  can  also  call  our  conference  housing  line  at:  1-888-254-1597 


April  12-15,  2005  •  JW  Marriott  Desert  Ridge  Resort  •  Phoenix,  Arizona 


^-snia 


STORAGE 

NETWORKING 

WORLD 


COMPUTERWORLD 

April  12-15,  2005 
JW  Marriott 
Desert  Ridge  Resort 
Phoenix,  Arizona 


Application  for  Conference  Registration 

Fax  this  completed  application  to  1-508-820-8254  or  apply  online  at:  www.snwusa.com/nww 


Your  business  card  is 
REQUIRED 

to  process  your  application 

Please  affix  your  business  card  to  this  space  prior  to 
submitting  your  application.  Applications  submitted 
without  business  cards  will  not  be  processed. 

Questions?  Call  1-800-883-9090 


If  not  indicated  on  your  business  card, 
please  provide  the  following  required 
information: 


Corporate  Email  Address 


Corporate  Website 

Registration  questions? 

Call  1  -800-883-9090  or  email 
snwreg@computerworld.com 

Need  accommodations? 

Reserve  them  at:  www.etcentral.com 

Or  call  1-888-254-1597 
or  email:  eventhousing@globalodysseys.com 


Please  check  ONE  of  the  following: 

Earlybird  Registration  (through  February  28.  2005) 

Full/Onsite  Registration  (after  February  28,  2005) 

Q  1  am  an  IT  End-User* 

(Complete  Attendee  Profile  below) 

□  $895  General  Conference  Package  (April  1 3  &  14) 
(includes  General  Conference  Sessions,  Expo,  Meals  &  Receptions) 

□  $1,290  Total  4-Day  Package  (April  12,  13,  14,  15) 
(includes  General  Conference,  plus  Technical  and  Business  Tracks, 
SNIA-produced  Tutorials,  SNIA-Certification  “Test-Ready*  Courses) 

□  $1,295  General  Conference  Package  (April  13  &  14) 
(includes  General  Conference  Sessions,  Expo,  Meals  &  Receptions) 

□  $1,690  Total  4-Day  Package  (April  12,  13,  14,  15) 
(includes  General  Conference,  plus  Technical  and  Business  Tracks, 
SNIA-produced  Tutorials,  SNIA-Certification  ‘Test-Ready’  Courses) 

*  IT  End-Users  are  defined  as  those  who  are  attending  Storage  Networking  World  with  an  intent  (and  an  IT  spending  budget)  to  potentially  buy/lease  hardware/software/services,  etc  from  our  conference  sponsors  and  are  not  themselves  an  IT  vendor.  As  such, 
account  representatives,  business  development  personnel,  analysts,  consultants  and  anyone  else  attending  who  does  not  have  IT  purchasing  influence  within  their  organization  are  excluded  from  the  “IT  End-User"  designation.  Interpretation  and  enforcement  of 
this  policy  are  at  the  sole  discretion  of  Computerworld. 


□  I  am  a  Channel  Partner/ 
I  nteg  rator/Consu  Ita  nt 

(Complete  Attendee  Profile  below) 


□  $3,000  Total  4-Day  Package  (April  12,  13,  14,  15) 
(includes  General  Conference;  Technical  and  Business  Tracks, 
SNIA-produced  Tutorials,  SNIA  Certification  “Test-Ready"  Courses) 


□  $3,500  Total  4-Day  Package  (April  12,  13,  14,  15) 
(includes  General  Conference;  Technical  and  Business  Tracks, 
SNIA-produced  Tutorials,  SNIA  Certification  “Test-Ready"  Courses) 


By  participating  in  SNWs  Channel  Partner/Integrator  registration  package,  registrants  may  enjoy  the  following  benefits:  One  company  representative  may  receive  a  full  conference  pass  to  SNW  Spring  2005;  additional  company 
representatives  pay  $695  each  for  full  conference  passes;  company  may  invite  up  to  five  IT  User  customers  to  attend  SNW  Spring(IT  Users  must  be  strictly  compliant  with  IT  User  definition  on  the  supplied  registration  form); 
companies  registering  for  this  package  interested  in  joining  the  SNIA  are  eligible  to  receive  a  $2,000  discount  provided  that  membership  is  applied  for  prior  to  March  1 , 2005. 


Attendee  Profile:  This  section  MUST  be  completed  by  IT  End-Users  and  Channel  Partners/Integrators/Consultants  only  (optional  for  all  other  registrations)  in  order  to  process  your  application. 


Your  Business/ Industry 

□  Aerospace 

□  Manufacturing  &  Process  Industries  (non-computer  related) 

□  Finance/Banking/Accounting 

□  Insurance/Real  Estate/Legal  Sevices 

□  Government:  Federal  (including  Military) 

□  Government:  State  or  Local 

□  Health/Medical/Dental  Services 

□  Retailer/Wholesaler/Distributor  (non-computer  related) 

□  Transportation/Utilities 

□  Communication  Carriers 

(ISP,  Telecom,  Data  Comm,  TV/Cable) 

□  Construction/Architecture/Engineering 

□  Data  Processing  Services 

□  Education 

□  Agriculture/Forestry/Fisheries 

□  Mining/Oil/Gas 

□  Travel/Hospitality/Recreation/Entertainment 

□  Publishing/Broadcast/Advertising/ 

Public  Relations/Marketing 

□  Research/Development  Lab 

□  Business  Services/Consultant  (non-computer  related) 

□  Manufacturing  of  Computers,  Communications, 

Peripheral  Equipment  or  Software 


Your  Job  Title/Function: 

IT  MANAGEMENT 

□  CIO,  CTO,  CSO 

□  Executive  VP,  Senior  VP 

□  Vice  President 

□  Director 

□  Manager/Other  IT  Manager 

□  Supervisor 

BUSINESS  MANAGEMENT 

□  CEO,  COO,  Chairman,  President 

□  CFO,  Controller,  Treasurer 

□  Executive  VP,  Senior  VP,  VP,  General  Manager 

□  Director,  Manager 

□  Other  Corporate/Business  Manager 

Number  of  employees  in  your  entire  organization 
(ALL  locations) 

□  20,000  or  more 

□  10,000-  19,999 

□  5,000-9,999 

□  1 ,000  -  4,999 

□  500  -  999 

□  100-499 

□  50-99 

□  Less  than  50 


What  is  your  organization's  annual  IT/IS  budget 
for  all  IT/IS  products? 

□  $  1  Billion  or  more 

□  $500  Million  -  $999.9  Million 

□  $100  Million -$499.9  Million 

□  $50  Million  -  $99.9  Million 

□  $10  Million  -  $49.9  Million 
a  $1  Million  -  $9.9  Million 

□  $500,000  -  $999,999 

□  $250,000  -  $499,999 

□  $100,000 -$249,999 

□  Less  than  $100,000 

What  is  the  estimated  annual  revenue  of 
your  entire  organization? 

□  Over  $10  Billion 

□  $1  Billion  -  $9.9  Billion 

□  $500  Million  -  $999  Million 

□  $100  Million -$499  Million 

□  Less  than  $100  Million 


The  one  item  that  best  describes  your  involvement  in 
the  IT  purchase  process 

□  Authorize/approve  purchase 

□  Evaluate/recommend  products,  brands,  vendors 

□  Specify  features/technical  requirements 

□  Set  budget  for  expenditures 

□  Determine  need  to  purchase 

□  Create  IT  strategy 

□  All  of  the  above 

Would  you  like  to  receive  information  about  playing  in 
the  golf  outing  on  Tuesday,  April  12th? 

□  Yes 

□  No 

Do  you  need  hotel  accomodations? 

□  Yes  (please  visit  www.etcentral.com  to  reserve) 

□  No 

Would  you  like  to  receive  a  complimentary 
subscription  to  Computerworld? 

□  Yes 

□  No 


I  |  My  company  is  Sponsoring/ 
Exhibiting  at  SNW 


□  $895  (through  February  28,  2005) 

General  Conference  Package  (April  1 3  &  14) 

(includes  General  Conference  Sessions,  Expo,  Meals  &  Receptions) 


□  $1,295  (after  February  28,  2005) 

General  Conference  Package  (April  13  &  14) 

(includes  General  Conference  Sessions,  Expo,  Meals  &  Receptions) 


□  $1,290  Total  4-Day  Package  (April  12,  13,  14,  15) 

(includes  General  Conference,  plus  Technical  and  Business  Tracks, 

SNIA-produced  Tutorials,  SNIA-Certification  “Test-Ready*  Courses) 

As  a  sponsor,  you  may  be  eligible  to  attend  using  a  registration  provided  with  your  sponsorship.  (If  those  registrations  have  already  been  assigned/used,  then  you  may  register  at  the  prevailing  rates  above.)  Ser 
the  current  list  of  sponsors  at  www.snwusa.com.  Questions?  Call  1  -800-883-9090  or  email  snwreg@computerworld.com. 


□  $1,690  Total  4-Day  Package  (April  12,  13,  14,  15) 
(includes  General  Conference,  plus  Technical  and  Business  Tracks, 
SNIA-produced  Tutorials,  SNIA-Certification  “Test-Ready"  Courses) 


□  I  am  a  representative  of  a  Non-Sponsoring  IT  Vendor  Company 

Q  $5,000  Business  Development  Professional  Package  for  Sales,  Marketing  and  Business  Development  Professionals  (includes  General  Conference  Sessions,  Expo,  Meals  &  Receptions) 


Vendors  are  encouraged  to  participate  in  Storage  Networking  World  through  sponsorship.  (Details  are  available  by 
calling  Ann  Harris  at  508-8208667.)  Alternatively,  vendors  (as  well  as  other  “non-IT  end-user*  professionals  as 
defined  by  Computerworld),  may  apply  for  registration  at  the  “non-sponsoring  vendor"  rate  of  $5,000.  Determination 
of  what  constitutes  a  “non-sponsoring  vendor"  registration  is  made  exclusively  by  Computerworld. 

Please  call  888-239-4505  with  questions. 


□ 


I  am  a  Financial/Equity  Analyst  and/or  Venture  Capital  Professional 


□  $1,290  (through  February  28,  2005) 
General  Conference  Package 
(includes  General  Conference  Sessions, 
Expo,  Meals  &  Receptions) 


□  $1,690  (after  February  28,  2005) 
General  Conference  Package 
(includes  General  Conference  Sessions, 
Expo,  Meals  &  Receptions) 


□  I  am  a  qualified  member  of  the  press.  I  can  verify  my  press  credentials. 
Press  should  call  Marenghi  Public  Relations  at  1-781-915-5000  to  register. 

Please  fax  this  completed  application  to  1-508-820-8254 


Payment  Method 

□  Check  (checks  must  be  received  by  March  21 , 2005  payable  to:  Computerworld) 
Mail  to:  Computerworld,  Attn:  Mike  Barbato,  One  Speen  Street  Framingham,  MA  01 701 

□  American  Express  □  VISA  □  MasterCard 

Account  Number: _ „ 

Expiration  Date:_ _ 

Holder 

SBiature  of  CarcHiolder: _ 

Cancellation  Policy  (All  of  the  following  require  written  notification  by  March  21,  2005) 

In  the  event  of  cancellation,  the  registrant  has  three  options: 

1 )  He  or  she  may  substitute  another  attendee  for  this  conference. 

2)  He  or  she  may  transfer  this  registration  to  the  Storage  Networking  World  Fall  2005  conference. 

3)  The  registration  fee  will  be  refunded,  less  a  $250  service  charge  (if  written  notice  is  received  by  March  21, 2005). 

Please  send  cancellation  requests  via  email  to:  snwreg@computerworld.com 
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■  VOIP  ■  WIRELESS  LANS 


■  NetPro,  Oblix,  Oxford  Computer 
Group,  PoilltBridge  and  Vintela  last 
week  formed  the  MIIS  Alliance  to  help 
corporations  manage  identities  using 

Microsoft  Identity  Integration 
Server.  Alliance  members  will  offer 
services  and  products  that  comple¬ 
ment  to  one  another  and  the  Micro¬ 
soft  platform  focusing  on  infrastruc¬ 
ture  management,  implementation 
services,  corporate  identity  and  Web 
services  management,  and  platform 
integration.  MIIS  is  a  cornerstone  in 
Microsoft's  identity  management  plat¬ 
form,  which  also  includes  Active 
Directory. 

■  NFR  Security  last  week  announced 
it  will  add  what  it  calls  “dynamic 
shielding"  to  its  Sentivist  intrusion- 
prevention  system.  The  feature  lets 
the  company’s  IPS  sensor  provide 
more  detailed  information  about  appli¬ 
cation  vulnerabilities  by  accepting 
input  from  the  Nessus  and  Nevo  open 
source  vulnerability  scanners.  The 
dynamic  shielding  capability  will  be  a 
software  upgrade  to  the  Sentivist  IPS 
and  won’t  affect  its  price,  which  is 
$13,000  per  sensor. 

■  McAfee  last  week  introduced  a  tool 
to  help  customers  manage  the  com¬ 
pany’s  corporate  security  software. 
ProtectionPilot  is  aimed  at  reducing 
administration  time  by  centrally  de¬ 
ploying  and  managing  security 
updates.  It  also  lets  administrators 
check  for  malware  infections  and  lo¬ 
cate  out-of-date  systems  through  its 
Interactive  Security  Dashboard.  The 
tool  supports  McAfee's  SMB  Edition 
security  software  suites,  which  in¬ 
clude  anti-virus  protection  for  desk¬ 
tops  and  file  servers.  McAfee’s  stand¬ 
alone  Anti-Spyware  enterprise  prod¬ 
uct  also  can  be  managed  using  Pro¬ 
tectionPilot,  the  company  says.  Pro¬ 
tectionPilot  with  McAfee  Active  Virus 
Defense  SMB  Edition,  which  includes 
virus  scanning  for  gateways,  servers, 
workgroups  and  desktops,  is  about 
$919  for  a  five-node  pack.  Pricing  for 
McAfee  Active  VirusScan  SMB 
Edition  with  ProtectionPilot  wasn't 
announced. 


CipherTrust  bolsters  compliance 


■  BY  CARA  GARRETSON 

E-mail  security  vendor  CipherTrust  an¬ 
nounced  last  week  an  upgrade  to  its 
gateway  appliance  with  a  compliance 
control  feature  designed  to  help  cus¬ 
tomers  adhere  to  regulatory  and  corpo¬ 
rate  policies. 

IronMail  5.0,  available  later  this  month, 
will  feature  CipherTrust’s  Compliance 
Control  that  scans  an  organization’s  out¬ 
going  mail  for  content  that  should  not 
leave  the  company  per  corporate  policy 
or  government  regulations  such  as  the 
Health  Insurance  Portability  and  Ac¬ 
countability  Act  (HIPAA)  and  Sarbanes- 
Oxley,  company  officials  say 

The  compliance  feature  will  come  stan¬ 
dard  with  Version  5.0,  which  is  priced  start¬ 
ing  at  $20,000.  Companies  also  can  opt  for 
a  dedicated  version  of  IronMail  that  per¬ 
forms  only  compliance  monitoring  and 
costs  $25,000. 

CipherTrust  joins  a  number  of  e-mail 
security  vendors  such  as  MailFrontier, 


FrontBridge  Technologies,  Barracuda 
Networks,  Proofpoint  and  IronPort 
Systems  in  including  compliance  fea¬ 
tures  to  their  messaging  offerings.  As 
companies  filter  incoming  mail  for 
viruses,  spam  and  other  messaging  abus¬ 
es,  it  makes  sense  to  use  the  same  prod¬ 
ucts  to  scan  outbound  messages  to 
ensure  sensitive  information  isn’t  leav¬ 
ing  the  corporate  network,  one  analyst 
says. 

“1  do  believe  there  are  advantages  to 
an  all-in-one  approach;  it  allows  ser¬ 
vices  to  run  off  a  common  infrastructure 
and  produces  operational  efficiencies 
so  there’s  one  common  console  to  man¬ 
age  all  of  these  different  disciplines,” 
says  Matt  Cain,  an  analyst  with  Meta 
Group. 

With  Compliance  Control,  CipherTrust 
has  upgraded  the  content  filtering  dictio¬ 
naries  included  with  its  appliance  to 
include  terms  and  phrases  associated 
with  specific  regulations  and  to  spot  pat¬ 
terns  associated  with  sensitive  material. 


For  example,  Compliance  Control  scans 
outgoing  mail  for  text  containing  terms 
that  are  associated  with  documents  cov¬ 
ered  by  HIPAA, such  as“medical  provider’’ 
It  also  can  detect  patterns  such  as  the 
number  and  spacing  of  digits  used  in 
Social  Security  numbers  and  credit  card 
numbers,  officials  say 

The  policies  also  can  be  customized  to 
detect  company-defined  patterns,  accord¬ 
ing  to  officials. 

These  capabilities  work  with  IronMail’s 
current  outbound  mail  techniques,  such 
as  scanning  of  attachments  and  encrypt¬ 
ed  messages,  designed  to  help  protect 
companies  from  violating  regulations  or 
losing  sensitive  information. 

From  an  administrative  standpoint, 
Compliance  Control  is  designed  to  be 
managed  by  a  company’s  compliance 
officer,  therefore  taking  the  burden  off  the 
IT  administrator,  officials  say  Messages 
flagged  by  Compliance  Control  can  be 
held  in  quarantine  until  the  compliance 
officer  clears  them.  ■ 


Start-up  to  manage  Exchange  systems 


■  BY  JOHN  FONTANA 

Start-up  Azaleos  this  week  will  debut 
itself  and  its  appliance  aimed  at  helping 
users  create  a  highly-available  and 
remotely-managed  Microsoft  Exchange 
platform. 

Azaleos’  OneServer  is  a  dedicated  appli¬ 
ance  that  provides  an  active/passive,  fault 
tolerant  and  clustered  Exchange  platform 
for  corporate  messaging.  The  appliance, 
which  is  built  on  either  HP  or  Dell  hard¬ 
ware,  runs  Windows  Server  2003  and 
Exchange  2003  and  is  complemented  by 
security  mobility  and  compliance  soft¬ 
ware  from  third-party  vendors. 

The  server,  which  is  focused  on  fortifying 
the  Exchange  message  store,  is  deployed 
within  a  corporation’s  network  yet  man¬ 
aged  remotely  by  Azaleos.  User  manage¬ 
ment  tasks,  such  as  password  changes  and 
message  store  limits,  are  still  done  by  cor¬ 
porate  administrators  through  OneServer’s 
Web-based  administrative  console. 

Azaleos’  OneStop  Subscription  Service 
is  coupled  in  the  OneServer  package.  It 
includes  24-7  monitoring  along  with 
maintenance  and  management  of  the 
appliance  from  the  hardware  to  patch 


management  on  Windows,  Exchange 
and  third-party  software  within  One- 
Server.  Azaleos  tests  the  patches  using  a 
replica  of  the  customer’s  OneServer 
environment  before  pushing  them  out 
to  OneServer,  which  has  a  rollback  fea- 


Mark  Levitt 

Analyst,  IDC 


ture  to  eliminate  downtime. 

“Exchange  can  be  a  challenging  plat¬ 
form  to  keep  up  and  running,”  says  Mark 
Levitt,  an  analyst  at  IDC.  He  says  IDC 
research  has  shown  a  “hefty  management 
load”  for  the  older  Exchange  platforms, 
versions  5.5  and  2000.  “Any  way  a  com¬ 
pany  can  get  help  to  deal  with  patches 
and  upgrades,  and  identify  potential  prob¬ 
lems  as  they  are  developing  will  save 
them  time  and  money  Doing  that  with  an 
appliance  is  not  typical  for  top-tier  soft¬ 
ware,  but  it  reflects  the  fact  that  keeping 


corporate  e-mail  systems  running  smooth¬ 
ly  with  minimal  down  time  is  not  an  easy 
thing,”  Levitt  says. 

While  the  OneServer  is  a  unique 
approach  to  solving  that  issue,  Azaleos 
faces  competition  from  third-party 


Exchange  management  software  vendors 
such  as  Quest,  NetlQ  and  other  start-ups, 
including  Lucid8  Information  Systems. 

But  Azaleos’  angle  is  one  that  should  be 
familiar  to  large  organizations,  according 
to  its  founders. 

“Think  about  this  in  the  context  of  how 
today  people  deploy  storage  devices, 
boxes  that  sit  in  network  and  push  out 
monitoring  information,” says  Keith  McCall, 
co-founder  and  CTO  of  Azaleos.  “We  are 
doing  the  same  thing  for  enterprise 
See  Azaleos,  page  19 


fcl  Exchange  can  be  a  challenging  platform  to  keep 
up  and  running.  91 


- 

EQj  NetworkWorld 

3/21/05 

let  Infrastructure 

www.nwfusion.com 

Symantec  evaluates  threat  potential 

Bombardment  of  phish  scams,  viruses  and  worms  increases,  according  to  Symantec’s  latest  report 


■  BY  ELLEN  MESSMER 

Phishing  scams  and  Windows32-based 
viruses  and  worm  variants  are  on  the  rise, 
according  to  Symantec,  which  this  week 
will  publish  its  semiannual  Internet 
Security  Threat  Report. 

The  report  —  which  looks  at  trends 
between  last  July  and  December  —  gar¬ 
ners  its  research  data  from  Symantec’s  net¬ 
work  of  20,000  sensors,  its  BrightMail  anti¬ 
spam  service  and  2  million  “decoy”  mail¬ 
boxes  around  the  world.There  were  10,310 
phishing  scams  sighted  during  the  six 
months  the  security  report  covers. 
Symantec  says  the  number  of  phishing 
messages  sent  to  intended  victims  rose 
from  9  million  per  week  in  July  to  33  mil¬ 
lion  in  December. 

“These  fake  Web  sites  and  e-mail  scams 
are  seeking  personal  identifiable  informa¬ 
tion,”  says  Jonah  Paransky  senior  manager 
of  security  product  management  at 
Symantec.  By  using  phishing  tactics,  crimi¬ 
nals  intend  to  steal  personal  information 
and  use  it  for  monetary  gain,  he  points  out. 

The  number  of  Win32  viruses  and  worm 
variants  also  continues  to  climb,  with  the 
six-month  period  under  review  showing 
65%  more  viruses  reported  than  the  one 
before,  for  a  total  of  7,360  new  viruses  and 
worms. 

As  of  Dec.  31, 2004,  the  total  number  of 
Win32  viruses  and  worms  approached 


Threat  report 

Between  July  1  and  Dec.  31, 2004, 
Symantec  found: 


•  10,310  new  phishing  scams. 

•  9  million  phishing  messages  per 
week  in  July,  rising  to  33  million  per 
week  in  December. 


•  60%  of  all  e-mail  traffic  was  spam. 

•  Attack  trends  showed  organizations 
facing  13.6  attacks  per  day  vs.  10.6 
the  previous  six  months. 


7,360  new  Win32  viruses  and  worm 
variants,  up  64%  from  before. 


Figures  are  derived  from  Symantec’s  DeepSight  network  of  20,000 
sensors,  its  BrightMail  anti-spam  service  and  2  million  ’’decoy" 
accounts  around  the  world. 


17,500,  which  Symantec  says  could  com¬ 
pel  organizations  to  update  anti-virus 
resources. 

There  weren’t  many  numbers  in  the 
Internet  Security  Threat  Report  that  might 
make  IT  managers  happy  The  number  of 
average  attacks  per  day  on  individual 
organizations  went  up  from  an  average  of 
10.6  to  an  average  of  13.6  attacks  per  day. 
One  of  the  few  numbers  that  went  down 
reflects  the  time  between  the  disclosure  of 
a  vulnerability  and  the  release  of  an  asso¬ 
ciated  exploit  —  5.8  days  to  6.4  days.  “We 


got  an  extra  day  to  prepare,  such  as  [by] 
patching,”  Paransky  says. 

Both  Microsoft  and  open  source  applica¬ 
tions  showed  some  holes.  Symantec  noted 
that  21  vulnerabilities  were  spotted  in  the 
Mozilla  browser  compared  with  13  vulner¬ 
abilities  affecting  Microsoft  Internet 
Explorer. 

For  the  first  time  in  its  Internet  Security 
Threat  Report,  Symantec  began  looking  at 
adware,  the  type  of  spyware  programs  used 
in  marketing,  which  can  cause  computer 
slowdowns  and  privacy  compromise. 

A  program  called  Webhancer,  which 
monitors  visited  Web  sites,  and  Iefeats, 
which  modifies  a  start  page,  were  two  of 
the  most-sighted  adware  programs,  accord¬ 
ing  to  Symantec. 

Spyware,  which  also  can  refer  to  mali¬ 
cious  Trojans  and  keyloggers,  is  a  broad 
term  subject  to  various  interpretations. 
Symantec’s  rival,  McAfee,  prefers  not  to  use 
the  term  spyware,  but  instead  to  refer  to 
adware  and  the  like  as  “potentially  unwant¬ 
ed  programs.” 

Symantec,  which  intends  to  introduce 
enterprise  anti-spyware  products  later  this 
year,  says  it  has  come  up  with  a  way  to  dis¬ 
tinguish  and  classify  the  array  of  trouble¬ 
some  code  raining  down  on  Internet  users 
from  Web  site  downloads  or  e-mail. 

“We  want  to  start  changing  the  conversa¬ 
tion  to  be  centered  around  risk,”  says 
Vincent  Weafer,  senior  director  of 


Symantec’s  Security  response  group,  about 
spyware.  “These  programs  produce  a  secu¬ 
rity  risk.  And  in  the  research  labs,  we’re 
looking  at  the  functionality  of  these  pro¬ 
grams  and  putting  them  in  categories.” 

Symantec’s  risk-impact  model  is  based 
on  five  metrics  to  be  applied  to  spyware: 
the  performance  impact  on  computer 
system  performance;  the  privacy  impact; 
how  hard  it  is  to  remove  it;  the  relative 
stealth  of  the  code  in  installation  and 
concealment;  and  the  prevalence  of  it. 

Weafer  says  a  rating  of  high,  medium 
and  low  can  be  applied  to  each  of  these 
categories.  This  categorization  of  spyware 
code,  and  the  concept  of  authorization 
vs.  non-authorization,  is  expected  to  fac¬ 
tor  into  the  design  of  Symantec’s  anti-spy¬ 
ware  software.  ■ 


More  online! 

Johna  Till  Johnson,  founder  of  Nemertes  Research, 
offers  practical  advice  in  this  Webcast  for  structuring 
what's  called  “The  New  Data  Center." 
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SAML  2.0  gets  standards  stamp 


■  BY  JOHN  FONTANA 

A  standards  body  has  approved  the 
long-awaited  Version  2.0  of  the  Security 
Assertion  Markup  Language,  a  milestone 
that  is  expected  to  add  fuel  to  corporate 
interest  in  sharing  identities  with  business 
partners. 

Version  2.0  also  should  fan  the  flames 
around  integration  of  SAML  and  compet¬ 
ing  federation  protocols,  most  notably  WS- 
Federation,  which  Microsoft  and  IBM 
developed. 

SAML  is  the  leading  protocol  in  use 
today  for  federating  identity,  which  lets 
companies  issue  user  authentication  and 
authorization  credentials  that  are  valid 
across  corporate  boundaries.  The  Organ¬ 
ization  for  the  Advancement  of  Struc¬ 
tured  Information  Standards  (OASIS)  last 
week  put  its  stamp  of  approval  on  SAML 
2.0  after  nearly  18  months  of  work. 

SAML  2.0  brings  together  work  by 
OASIS,  the  Liberty  Alliance  and 
Shibboleth,  an  effort  to  create  federated 
identity  standards  for  Internet2. 

“SAML  2.0  is  a  milestone  for  the  federa¬ 
tion  industry  and  will  likely  be  a  major 
accelerant,”  says  Andre  Duran,  CEO 
of  PingID,  which  develops  a  federation 
server  called  PingFederate.  “Standards 
fragmentation  has  kept  the  market  con¬ 
fused  and  implementation  overly  compli¬ 
cated.  At  this  point,  mainstream  adoption 
of  identity  federation  is  no  longer  inhibit¬ 
ed  by  standards,  but  by  quality  products 


which  are  tested  secure  and  validated 
interoperable.” 

A  group  of  13  vendors  met  last  month  at 
the  RSA  Conference  to  prove  interoper¬ 
ability  during  a  SAML  2.0  test  that  included 
the  federal  government  and  its 
E-Authentication  Initiative. 

SAML  already  enjoys  some  high-profile 
test  cases  in  deployments  by  Fidelity 
Investments,  which  has  more  than 
200,000  end  users  accessing  benefits 
information  using  SAML-based  federation 
services,  and  at  Boeing,  which  has  nearly 
a  dozen  SAML  projects  underway  includ¬ 
ing  a  federated  identity  project  with 
Southwest  Airlines. 

SAML  2.0  is  significant  because  it  adds 
features  such  as  account  linking,  global 
logout,  attribute  exchange  with  privacy 
features  and  interoperability  with 
Shibboleth  and  Liberty. 

While  those  features  pump  up  the 
potential  of  the  protocols,  experts  say  cor¬ 
porations  will  have  to  perform  privacy 
impact  assessments  and  more  deeply 
integrate  security  and  directory  infra¬ 
structure  before  rolling  out  SAML  2.0. 
Also,  cross-company  testing  and  deploy¬ 
ment  will  be  more  complex  over  the 
basic  federation  offered  with  SAML  1.0 
and  1.1. 

Despite  the  milestone  that  SAML  2.0 
represents,  what  is  still  missing  is  an 
intersection  with  work  Microsoft  and 
IBM  are  doing  around  WS-Federation. 
Experts  say  the  twro  eventually  will  con¬ 


verge,  but  the  effort  currently  appears  to 
be  stagnant. 

In  the  interim,  Microsoft’s  WS- 
Federation  partner,  IBM,  has  decided  to 
support  the  trio  of  federation  protocols, 
SAML  2.0,  Liberty  and  WS-Federation,  in 
a  forthcoming  version  of  its  Tivoli 
Federated  Identity  Manager,  which  is  cur¬ 
rently  in  beta  testing.  Also,  RSA  Security 
and  VeriSign,  which  helped  co-author 
WS-Federation,  plan  to  support  Liberty 
and  SAML.  And  other  identity  stalwarts 
such  as  Sun,  Oblix  and  Computer 
Associates/Netegrity  plan  to  support  all 
three  protocols. 


Microsoft  officials  say  they  will  evaluate 
SAML  2.0  and  determine  how  the  proto¬ 
col’s  token  format  will  be  supported  with¬ 
in  WS-Federation. 

The  SAML  protocol  includes  both  a 
token  format  and  a  request/response 
engine  that  are  tightly  coupled.  WS- 
Federation,  which  separates  the 
request/response  engine  and  token  for¬ 
mat,  supports  many  tokens,  including 
SAML,  Kerberos  and  X.509. 

This  fall,  Microsoft  plans  to  offer  its  first 
federation  server  with  support  for  WS- 
Federation  with  the  release  of  Active 
Directory  Federation  Services.  ■ 


Azaleos 

continued  from  page  17 

messaging. You  can  think  about  this,  in  the 
consumer  space,  as  the  TiVb  of  enterprise 
messaging.” 

The  OneServer,  which  supports  up  to 
2,500  users  on  one  appliance,  wraps 
Exchange  and  Active  Directory  interfaces 
into  a  set  of  .Net  Web  services  that  Azaleos 
uses  to  remotely  access  the  OneServer. The 
appliance  also  features  third-party  soft¬ 
ware,  including  Sybari  Antigen  for 
Exchange  8.0  to  provide  anti-virus  and  anti¬ 
spam  capabilities,  Enterprise  Vault  from 
KVS  for  archiving  and  compliance  and 
GoodLink  Server  technology  by  Good 
Technology  to  support  mobile  users. 
OneServer  also  exposes  the  APIs  that  let 


Exchange  integrate  with  Microsoft’s  other 
collaboration  servers  and  tools  such  as 
Microsoft  Operations  Manager. 

OneServer  also  includes  directory 
migration  tools  that  can  pull  in  user  infor¬ 
mation  and  automatically  create  mailbox¬ 
es,  an  embedded  SQL  Server-based  help 
desk  ticketing  system,  role-based  adminis¬ 
tration  for  user  self-service  and  transac¬ 
tion  audit  logs. 

Azaleos  was  founded  in  August  2004  by 
Microsoft  veterans  Roger  Gerdes,  who  is 
CEO,  and  Keith  McCall,  who  serves  as  CTO, 
and  is  backed  by  a  Series  A  round  of  fund¬ 
ing  from  Second  Avenue  Partners. 

OneServer  costs  $30,000  and  $35,000 
with  IT  byte  of  storage.  The  cost  for 
OneStop  Subscription  Service  starts  at  $7 
per  user,  per  year.  ■ 


When  business  losses  are  measured  in 
seconds ,  preemption  beats  “ reaction "  every  time. 

The  only  effective  security  is  preemption.  This  preemptive  power  is  only  available 
with  the  Proventia™  ESP  Security  Platform  from  Internet  Security  Systems.  When  software  security 
flaws  are  discovered,  Internet  Security  Systems’  world-renowned  research  team  updates 
Proventia  to  immediately  shield  against  any  attacks  targeting  weak  spots.  Regardless 
of  the  size  of  your  business,  this  new  standard  in  Internet  security  can  help  keep 
you  off  the  path  to  disaster  and  reduce  your  total  cost  of  ownership  -  In  fact,  when 
we  manage  Proventia  for  you,  we'll  even  guarantee  protection.  Need  proof? 
Get  your  free  whitepaper,  Preemptive  Protection:  Setting  a  New  Standard  in  Security, 
at  www.iss.net/proof/wp  or  call  800-776-2362. 
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E:  The  Gigabit  Ethernet  players. 


Extreme  and  Foundry  keep  on  ticking 


■  BY  PHIL  HOCHMUTH 

Among  the  hype-fueled  Gigabit  Ethernet  start-ups  that 
emerged  in  the  mid-1990s  —  Alteon,  Granite 
Systems,  Prominent,  Packet  Engines,  Rapid  City  — 
Extreme  Networks  and  Foundry  Networks  are  the  last 
independent  vendors  still  standing. 

Extreme  CEO  Gordon  Stitt  and  Foundry  CEO  Bobby 
Johnson  say  the  ability  to  adapt  to  market  changes,  inno¬ 
vate  during  downturns  and  push  into  new  markets  has 
helped  their  firms  remain  intact.  Observers  say  each  ven¬ 
dor  still  faces  challenges  from  LAN  and  WAN  commoditi¬ 
zation,  new  low-cost  competitors  and  the  same  nemesis 
both  firms  shared  nine  years  ago:  Cisco. 

Both  Extreme  and  Foundry  came  roaring 
out  of  start-up  mode  with  flashy  new 
Gigabit  Ethernet  switches.The  companies’ 
fortunes  were  taken  to  greater  heights  as 
the  telecom  and  dot-com  bubble  swelled, 
with  Internet  companies  buying  up  gear 
for  speeding  Web  sites  and  carriers  rolling 
out  equipment  for  meeting  skyrocketing 
bandwidth  demands. 

After  IPOs,  which  flooded  both  compa¬ 
nies  with  capital,  both  vendors  went  hard 
after  the  emerging  telecom  market,  particu¬ 
larly  metropolitan-area  network  service 
providers,  which  promised  services  such 
as  Fast  and  Gigabit  Ethernet  services 
based  on  dark  fiber.  Both  companies 
developed  technology  to  let  their  switches 
act  more  like  SONET  gear  in  carrier  net¬ 
works,  developing  technologies  that  allow 
for  fast  traffic  failover,  QoS  and  security  in 
the  cloud. 

Extreme’s  Stitt  says  he  likes  the  decisions 
his  firm  has  made  in  venturing  into  new 
markets. 

“We  haven’t  been  afraid  to  break  with 

our  history  Stitt  says,  referring  to  forays  the  v - 

LAN  switch  company  has  made  into  wire¬ 
less  LANs  (WLAN)  and  carrier  network  technology  “We 
wanted  to  build  a  long-lasting,  sustainable  company  [But] 
if  Cisco  was  the  General  Motors  of  the  industry’ when 
Foundry  came  on  the  scene  in  1996, “we  wanted  to  be 
Porsche,"  Johnson  says. 

Both  CEOs  say  that  staying  innovative  during  the  tech¬ 
nology  downturn  between  2000  and  2002  was  key  to 
their  survival. 

Stitt  says  two  of  Extreme’s  “biggest  innovations” —  its 
fourth-generation  of  ASICS  and  its  modular  XOS  switch 
operating  system  —  were  developed  between  2001  and 
2003. 

Likewise,  Johnson  says  his  firm  is  stronger  coming  out 
of  the  downturn. 

“Those  storms  slowed  down  some  of  our  initiatives,”  he 
says,  with  the  vendor’s  revenue  shifting  drastically  from 
75%  carrier/25%  enterprise  to  the  current  ratio  of  75% 
enterprise/25%  carrier.“But  it  hasn’t  changed  the  core  cul¬ 
ture  of  Foundry. We  did  very  little  layoffs,  and  we  re¬ 
mained  profitable  [through  most  of  the  downturn]  and 
continued  to  hire  through  the  majority  of  that  time,”  he 
says. 


Growth  areas  the  CEOs  foresee  the  extension  of 
Ethernet  into  carrier  networks. 

“U.S.  [carriers]  are  stubbornly  sticking  to  SONET  tech¬ 
nologies,  whereas  the  rest  of  the  world  is  going  to  Ether¬ 
net,”  Stitt  says. 

“There  are  tremendous  cost  savings”  yet  to  be  realized 
by  large  U.S.  carriers  by  using  10G  Ethernet  vs.OC-192 
SONET  technology  Johnson  says. 

Foundry  and  Extreme  have  had  similar  revenue  num¬ 
bers  over  the  last  several  years;  Extreme  has  averaged 
about  $411  million  in  revenue  per  year  since  2001,  while 
Foundry’s  revenue  has  averaged  $355  million.The 
momentum  of  late  is  with  Foundry  with  its  sales  jumping 
from  $31 1  million  in  2001  to  $409  million  last  year. 


reflect  the  personality  of  the  CEOs,” says  Zeus 
Kerravala,an  analyst  with  The  Yankee  Group. 

Extreme’s  Stitt  “does  a  lot  of  public  speaking  and  is 
very  visible  on  Wall  Street,”  Kerravala  says.“Bobby 
[Johnson]  has  been  much  more  conservative.  He’s 
been  reluctant  to  get  into  markets  Wall  Street  has 
advised  him  to  get  into  [such  as  enterprise  routing]. 
He’s  been  very  singularly  focused  in  building  a  high- 
performance  product.  It’s  not  very  sexy,  and  Wall  Street 
often  doesn’t  like  the  approach.” 

The  names  of  the  two  companies  are  also  very  fitting, 
he  says. 

“You  think  of  Foundry  as  a  bunch  of  guys  in  a  hot 
room  banging  on  metal. You  think  of  Extreme, you  envi¬ 


Dealing  with  the  ups  and  downs 

Some  high  and  low  points  of  network  rivals  Foundry  Networks  and  Extreme  Networks  since  their  respective  beginnings. 


2001 

•  Extreme  introduces  Ethernet  Automatic 
Protection  Switching,  a  SONET-like 
technology  aimed  at  carriers. 

2000 

•  Foundry  introduces  its 
Netlron  Internet  router, 
targeting  rivals  Juniper 
and  Cisco  in  the  'Net  core. 

1999 

•  April:  Extreme 
goes  public. 

•  September: 

Foundry  goes  public. 

L 


2002 

•  January:  Foundry  introduces  10G 
Ethernet  modules. 

•April:  Extreme  launches  10G 
Ethernet  modules. 


2004 

•  March:  Extreme  jumps  into  the  WLAN  market 
with  its  Summit  S400  series  ofWLAN  switches 
and  access  points. 

•  September:  Foundry  announces  WLAN 
switching  capabilities,  plans  for  access  points. 


April:  Foundry  launches  its  next-generation  “Mucho 
Grande"  10G  switch  platform. 

•  November/December:  Extreme  announces  a 
partnership  to  co-develop  and  support  VoIP  products 
with  Avaya  and  debuts  the  BlackDiamond  10K 
backbone  switch. 


Extreme  has  seen  its  sales  slide  from  almost  half  a  bil¬ 
lion  in  2001  to  $351  million  last  year.  Meanwhile, 

Extreme  has  posted  losses  the  last  four  years,  while 
Foundry  has  been  profitable  since  2001. 

As  for  market  share  position,  both  firms  have  hovered 
in  the  same  neighborhood.  In  2001,  Extreme  had  3.3% 
of  the  total  LAN  switch  market  revenue,  while 
Foundry’s  share  was  2.2%.  Last  year,  Foundry  accounted 
for  3.2%  of  the  total  LAN  switch  sales,  while  Extreme’s 
share  was  2.2%. 

Over  the  years,  both  vendors  have  gone  after  new  mar¬ 
kets  with  mixed  results.  Foundry  made  Layer  4-7  switch¬ 
ing  a  pillar  of  its  product  offerings.  Extreme  purchased 
Web  switching  vendor  WebStacks  in  2001,  but  did  not 
establish  a  significant  presence  in  the  Layer  4-7  market. 

For  Foundry  entrance  into  new  markets  remains 
mostly  through  internal  product  development,  driven 
by  the  demands  of  its  current  customer  base. 

For  Extreme,  other  areas  for  growth  include  the  closer 
integration  of  enterprise  software  applications  and  the 
network  hardware  layer. 

“If  you  look  at  the  way  the  companies  are  run,  they 


sion  guys  in  baggy  pants  saying  ‘Hey,  dude,”’  he  says. 

Kerravala  says  Foundry  has  been  successful  at  stick¬ 
ing  with  its  focus  on  high-performance. 

“What  they  sell  is  very  basic  —  a  high-performance 
switch  at  a  fair  price. That’s  always  been  their  differen¬ 
tiator.  It  was  a  little  boring  in  the  ’90s,  but  they  stayed 
with  what  they  knew” 

Meanwhile,  Extreme’s  shifts  in  focus  over  the  years 
might  have  held  back  the  company’s  ability  to  estab¬ 
lish  itself  in  a  particular  niche. 

“But  if  you  ask  people  why  they  bought  Extreme, 
they’d  say  it’s  because  they’re  like  Cisco,  but  cheaper,” 
Kerravala  says. 

The  challenge  for  both  vendors  is  finding  new  ways 
to  grow  in  a  market  that  is  becoming  commoditized 
with  lower  margins  and  more  competition  from  low- 
cost  competitors.  Both  vendors  have  made  forays  into 
the  WLAN  market  as  a  way  to  grow  revenue  from  their 
customer  bases.  Foundry  also  has  introduced  WAN 
router/firewall  products  for  enterprise  customers,  hop¬ 
ing  to  skim  some  market  share  from  router  leader 
Cisco.  ■ 


gVpKfT  */'  ' 


Your  potential.  Our  passion1 

. 

Microsoft 


JizTalk  Server  2004  named  InfoWorld 
best  Process  Automation  Solution. 


Get  the  story  or  enlist  a  Microsoft  Certified 
Partner  at  microsoft.com/biztalk 


Data  Management  and  Compliance 

See  it  All  i  One  Place 


350+  Top  Exhibitors  on 
the  Exhibit  Floor  with 
8  Targeted  Technology 
Zones  and  Pavilions 

1 00+  Educational  Sessions, 
including  6  Comprehensive 
Conferences  Revolving  Around  6  Key 
Themes,  3  Special  Interest  Days 
and  36  Tutorials  and  Workshops 

6  Visionary  Keynotes 
by  Leading  Industry 
Executives 


Visionary  Keynotes 

John  Chambers 

President  and  Chief  Executive  Officer, 
Cisco  Systems 


Hossein  Eslambolchi 

President — AT&T  Global  Networking  Technology 
Services,  Chief  Technology  Officer  and  Chief 
Information  Officer,  AT&T 

Scott  Kriens 

Chairman  and  Chief  Executive  Officer, 

Juniper  Networks 


NetworkWorld 
Survivor  Las  Vegas 


Sean  Maloney 

Executive  Vice  President 
General  Manager,  Mobility  Group, 
Intel 

Andy  Mattes 

President  and  Chief  Executive  Officer, 
Siemens  Communication  Networks 


i 


Your  Source  for  Building  a  Better  IT  Infrastructure 


MediaLive' 

INTERNATIONAL 


Register  Today  at  www.interop.com 


Copyright  C  2005  MediaLive  International,  Inc.,  795  Folsom  Street  6th  Floor,  San  Francisco,  CA  941 07.  All 
Rights  Reserved.  MediaLive  International,  NetWorld,  Interop  and  associated  design  marks  and  logos  are 
trademarks  or  service  macks  owned  or  used  under  license  by  MediaLive  International,  Inc  and  may  be 
registered  in  the  United  States  and  other  countries.  Other  names  mentioned  may  be  trademarks  or 
service  marks  of  their  respective  owners. 


Use  priority  code  MLAHNVOI  and  receive 
$  1 00  off  any  educational  product. 


rfflMH 


LOCKING  DOWN 


Because  perimeter  security  will  never  be  perfect,  experts  turn  their 
attention  to  securing  the  corporate  jewels  —  the  applications. 

■  By  Joanne  Cummings 


Your  organization  understands 
security  It  follows  best  practices, 
has  the  requisite  firewalls,  anti¬ 
virus  and  intrusion-detection  sys¬ 
tems  in  place  along  the  perimeter, 
and  only  communicates  with  mobile  users  or 
business  partners  via  secure  VPNs. 

And  when  end  users  enter  the  network  via 
the  VPN  they  are  vetted  by  a  separate  security 
server  to  ensure  their  machines  are  properly 
configured  with  the  appropriate  firewall  and 
anti-virus  tools  before  they’re  granted  access 
to  core  applications. 

The  company  even  goes  as  far  as  deploying 
application-specific  firewalls  and  intrusion- 
prevention  systems  (IPS)  around  the  most 
critical  application  servers,  watching  for  and 
blocking  non-appropriate  application  calls  and  traffic. 

It’s  what  the  pundits  call  “defense  in  depth,”  and  you’ve  got  it 
in  spades. 

But  even  though  the  company  has  probably  spent  thousands, 
maybe  millions, of  dollars  on  security  infrastructure, chances  are 
it  will  still  get  hit  by  the  latest  virus  or  worm. 

“What’s  wrong  with  this  picture?”  asks  Paul  Simmonds,  direc¬ 
tor  of  global  information  security  at  London  chemical  con¬ 
glomerate  ICI  and  a  co-founder  of  the  Jericho  Forum.“What  we 
have  is  back  to  front,  at  the  moment.  We’re  saying  that  since  we 
can’t  secure  our  applications,  we  need  to  put  in  firewalls  and 
kludges  all  over  the  place  to  make  what  we  have  at  least  semi- 
secure,  and  even  that’s  not  working.  But  why  not  just  go  back  to 
first  principles  and  get  this  secure  from  the  outset,  at  the  appli¬ 
cation  level?” 

An  applications  deployment  nightmare 

Experts  agree  that  the  security  focus  needs  to  shift.  “For  any¬ 


body  who’s  thinking  about  new  hacking 
techniques,  the  soft  target  now  isn’t  the  network 
or  the  operating  system.  It’s  the  applications,”  says  Thomas 
Longstaff,  deputy  director  for  technology  at  security  organiza¬ 
tion  CERT.  Because  no  matter  how  much  technology  you  put  in 
place  around  applications,  in  order  to  use  them,  you  have  to 
open  them  to  end  users  and  other  processes. 

“It  doesn’t  make  any  sense  to  protect  all  this  information  if  you 
can’t  get  to  it,”  Longstaff  says.  “You  have  to  provide  access  to 
wherever  the  clients  happen  to  be.  And  that  means  that  you’re 
really  relying  on  the  proper  configuration  and  security  of  not 
only  every  application  server  but  also  every  end  user  that’s 
going  to  use  the  application." 

Complicating  matters  is  that  application  vendors  implement 
security  measures  differently  such  as  authentication  and 
authorization,  encryption  and  so  on. 


application  security 


1.  Take  application  security  as  seriously  as  network  and  operat¬ 
ing  system  security.  Many  organizations  have  bulletproof  policies 
around  operating  system  patch  management  and  network  configuration 
management  but  have  no  policies  concerning  upgrading  application  secu¬ 
rity  and  configurations.  But  applications  are  just  as  important,  if  not  more 
so,  when  building  good  security  postures. 

2.  Purchase  with  application  security  in  mind.  Not  only  should  you 
stipulate  good  application  security,  but  users  should  require  ease  of  use 
and  interoperability  within  their  applications  contracts. 

3.  Don’t  tie  security  to  the  network.  As  networks  and  data  centers 
evolve,  the  best  security  will  be  at  the  application  layer,  within  the  proto¬ 
cols,  and  not  tied  to  IP  addresses. 

4.  Keep  an  eye  on  Web  services  and  identity  management.These 
areas  currently  are  pursuing  the  best  models  for  ensuring  application- 
level  security. 

5.  Be  proactive.  At  the  least,  insist  that  every  new  application  you  buy 
supports  secure  protocols  and  doesn't  rely  on  lowest  common  denomina¬ 
tors  such  as  FTP  and  Telnet. 


“We’re  still  pretty  much  in  the  Wild  West 
phase  of  applications  security,  where 
everybody  who  has  a  good  idea  goes  off 
and  does  it  their  own  wa^’  Longstaff  says. 
“Very  few  vendors  are  trying  to  bring 
their  applications  together  under  a  single 
framework  for  security’ 

That  makes  it  hard  for  end  users  to 
securely  deploy  and  configure  their  busi¬ 
ness-critical  applications.  “When  deploy¬ 
ing  new  applications,  users  are  faced 
with  a  long  list  of  security  check  boxes” 
Longstaff  says.  ‘And  the  onus  is  on  them 
to  figure  out  each  application’s  inherent 
security  problems,  how  best  to  shore 
them  up,  and  then  how  to  make  sure  the 
best  security  configurations  for  one 
application  don’t  interfere  or  override 
the  security  configurations  for  another” 

That’s  now  the  most  daunting  area, says 
Brian  Young,  vice  president  of  IT  at 
Creighton  University  in  Omaha,  Neb.“It’s 
like  you  have  to  be  a  NASA  engineer  to 
make  the  security  pieces  work  for  some 
applications,”  he  says.“In  many  cases,  the 
only  folks  who  know  how  to  work  it  are 
the  engineers  in  the  company  who  built 
it.  And  that’s  not  user-friendly.  It  makes  it 
really  difficult  to  deploy’ 

Longstaff  says  applications  vendors 
will  eventually  have  to  rally  around 
standardization,  some  kind  of  security 
middleware  that  will  ensure  that  every 
application  implements  security  in  a 
standard  way. 

“When  we  have  a  better  layer  of  mid¬ 
dleware  out  there  that  the  applications 
developers  can  begin  to  use,  then  this 
problem  will  get  better’’ he  says.  “We  will 
have  tighter  application  security,  a  more 
uniform  interface  and  an  easier  end-user 
experience  when  adjusting  the  security 
parameters.” 

But  all  that  will  take  time,  and  while  the 
industry  waits, applications  will  continue 
to  be  soft  targets. 

Interim  solutions 

That  doesn’t  mean  today’s  organiza¬ 
tions  can’t  keep  their  applications 
secure.  Experts  say  the  key  is  to  deploy 
applications-based  security  strategically, 
with  an  eye  to  the  future.  Many  organi¬ 
zations  looking  at  applications  security 
tend  to  focus  on  IP-based  solutions  such 
as  application-specific  firewalls  or  IPSs. 
Proponents  of  these  tools  tout  the  fact 
that  they  can  be  deployed  around  criti¬ 
cal  applications  servers  and  then  outfit¬ 
ted  with  policies  to  ensure  that  only 


acceptable  types  of  traffic  can  access 
the  application. 

“Rather  than  identifying  and  blocking 
all  the  bad  traffic,  we  take  it  from  the 
other  perspective  and  say  what  traffic 
should  be  allowed,  what  is  acceptable  to 
the  application,”  says  Mike  Paquette,  vice 
president  of  marketing  and  product 
management  at  IPS  vendor  Top  Layer 
Networks.  Paquette  says  tools  like  his 
firm’s  Attack  Mitigator  can  shore  up  appli¬ 
cation  defenses,  especially  in  cases 
where  the  applications  haven’t  been  con¬ 
figured  properly  for  security 

Say  you  roll  out  a  Microsoft  Web  server 
and  enable  WebDAY  a  Web  authoring 
tool  that  shouldn’t  be  turned  on  in  a  pro¬ 
duction  environment.  “It’s  a  mistake,” 
Paquette  says, “but  you  can  set  up  a  poli- 


cy  within  an  IPS  to  watch  every  request 
that  comes  into  that  application,  and  if 
one  contains  a  command  specific  to 
WebDAY  you  can  block  it.”  It’s  an  added 
layer  of  protection. 

Such  tools  are  helpful  but  don’t  solve 
the  right  problem  in  the  long  run,  some 
experts  say.“You  really  need  to  move  up 
the  stack,”  says  Andreas  Antonopoulos, 
senior  vice  president  and  founding  part¬ 
ner  at  Nemertes  Research. “Using  a  fire¬ 
wall  or  IPS  that  can  understand  TCP  or 
HTTP  isn’t  really  the  right  way  to  do  it. 
You’re  peeking  up  into  the  application 
from  the  network  layer,  but  you’re  still 
very  much  tied  to  the  IP  address,  and 
you’re  still  very  much  grounded  in  the 
network.” 

Such  an  IP-centric  strategy  becomes  es- 


pecially  problematic  when  firms  begin 
moving  to  the  concept  of  the  new  data 
center,  in  which  core  applications  servers 
are  virtualized  and  applications  are  provi¬ 
sioned  automatically  and  on  demand. 
Using  IP-based  security  tools  in  such  a 
flexible  environment  leads  to  unneces¬ 
sary  complexity  and  can  hamper  the 
organizations  ability  to  do  business. 

“You  end  up  tying  your  infrastructure 
down  and  making  it  less  dynamic,” 
Antonopoulos  says. 

This  is  because  such  tools  tend  to  asso¬ 
ciate  specific  servers  at  specific  IP 
addresses  with  specific  functions, such  as 
Web  serving. 

“And  that  totally  negates  the  idea  of  any 
automated  provisioning  system,”  he  says. 
“In  that  scenario,  you  have  two  choices: 
Either  your  security  infrastructure  be¬ 
comes  more  flexible  and  adaptive,  or 
you’re  forced  to  set  up  a  ton  of  proxies 
and  redirections  and  things  like  that  to 
compensate.” 

Instead  of  using  the  IP  address  for  a 
Web  server,  organizations  should  set  up 
things  like  DNS  to  resolve  the  IP  address¬ 
es  dynamically  as  they  move  applica¬ 
tions  on  the  fly,  he  says.“But  that’s  terribly 
kludg/  he  says.  “For  one  thing,  you’ve 
introduced  a  security  risk  so  that  if  some¬ 
one  rewrites  that  DNS  entry  they  can 
hijack  your  Web  server.  And  secondly 
you’ve  added  another  layer  of  redirec¬ 
tion,  which  is  a  nightmare.” 

The  best  approach,  Antonopoulos  says, 
is  identity  management-based  security 
“With  identity  management,  you  ignore 
the  network  completely’  he  says.  “So 
instead  of  thinking  of  the  finance  depart¬ 
ment  as  five  IP  addresses,  it  becomes  five 
servers  or  users.  It’s  all  policy-based,  with 
application  domains  and  organizational 
domains  within  the  company  that  are 
completely  disassociated  from  the 
underlying  network.” 

He  also  says  emerging  protocols,  such 
as  the  Security  Assertion  Markup  Lan¬ 
guage  (SAML),  which  lets  Web  services 
applications  exchange  authentication 
information  at  the  middleware  layer,  are 
a  step  in  the  right  direction. 

“That  stuff  is  available  now,  but  it’s  only 
happening  among  the  vendors  who  see 
it  from  the  application  perspective,”  he 
says, adding  that  the  vendors  to  watch  are 
in  the  identity-management  and  Web 
services  realms.  “If  they  support  SAML 
today  they  get  it." 


Proactive  steps 

In  the  end,  the  best  defense  is  always  a 
good  offense.  Rather  than  complacently 
accepting  unsecure  applications,  experts 
urge  companies  to  demand  better  appli¬ 
cation-level  security  from  the  vendors. 

Creighton’s  Young  says  he  avoids  secu¬ 
rity  configuration  and  interoperability 
problems  by  making  key  stipulations  in 
applications  contracts. 

“Before  we  sign  a  contract  to  buy  an 
application,  I  add  in  clauses  for  service- 
level  agreements  and  assurances  that  the 
applications’ security  levels  are  both  easy 
to  configure  and  as  user-friendly  as  they 
were  said  to  be, ’’Young  says.“And  if  there 
are  conflicting  issues  between  applica¬ 
tions,  I  say  it’s  their  problem  and  they 
have  to  bring  about  a  resolution. We  wrap 
all  that  into  the  contract,  and  it  lets  us 
turn  the  tables  on  the  vendors  and  make 
them  accountable.” 


Similarly  it’s  important  to  demand  that 
applications  vendors  support  secure  pro¬ 
tocols.  ICI’s  Simmonds  says  his  business 
units  are  continuously  pressuring  him  to 
make  it  easier  to  run  applications  over 
the  Internet,  for  flexibility  and  cost.  “But 
the  Internet  fundamentally  is  insecure,” 
he  says.“And  you’d  be  surprised,  but  a  lot 
of  vendors  don’t  seem  to  realize  that. 
They  still  design  new  applications  that 
use  Telnet  and  FTP” 

One  ICI  business  refused  to  accept  FTP 
as  the  default  standard  in  an  ERP  appli- 
cation.“We  told  our  ERP  vendor  we  were 
required  to  use  AS2  to  communicate 
with  our  business  partners  and  asked 
them  how  to  go  about  it, ’’Simmonds  says. 
Little  did  ICI  know, but  the  vendor  already 
had  an  AS2  plug-in  module  available.“We 
bought  the  module,  plugged  it  in  and  a 
week  later,  we  were  up  and  running.” 

“This  stuff  is  possible,  and  it  does 
exist,”  he  says.  “It’s  just  that  it’s  a  secret 
and  the  default  —  the  accepted  way 
that  they  tell  you  to  do  it  —  is  to  use  FTP 


which  is  wrong.” 

Simmonds  says  users  should  demand 
that  application-level  security  work  within 
your  company  as  well  as  across  compa¬ 
nies,  customers  and  business  partners. 

“Today  Microsoft  will  say  if  you  buy  our 
latest  Office  suite  and  XP  you  can  do 
secure  digital  encryption  and  manage¬ 
ment  on  all  your  documents,”  Simmonds 
says.“But  if  you  need  to  do  business  with 
a  partner  on  Unix  or  running  an  earlier 
release  of  Office,  it  won’t  work.  Either  you 
don’t  do  it,  or  you  have  to  decrypt  it  when 
it  goes  outside  your  business.  That’s  not 
acceptable.” 

The  key  he  says,  is  to  spend  less  time 
evaluating  and  managing  interim  solu¬ 
tions  and  more  time  pushing  vendors  to 
shore  up  applications. 

“The  danger  is  that  we’re  so  caught  up 
in  all  of  these  wonderful  initiatives  and 
the  latest  black  box  that  we  lose  sight  of 


the  big  picture,”  he  says.“You  have  to  put 
in  these  things  now  because  your  busi¬ 
ness  still  needs  to  run.  But  what  you  need 
to  do  is  save  15%  to  20%  of  your  time  to 
step  back  and  realign  your  resources  to 
where  they’ll  do  the  most  good  —  on  the 
applications  end.” 

In  the  rosiest  scenario,  vendors  eventu¬ 
ally  will  produce  applications  that  can 
run  securely  over  the  Internet,  without 
the  need  for  savvy  customers  imple¬ 
menting  the  appropriate  security  via 
firewalls,  VPNs  and  other  devices  ad 
nauseum. 

But  if  that  scenario  is  to  approach  reali¬ 
ty,  organizations  need  to  start  prodding 
vendors  now.“You  have  to  remember  that 
anything  you  are  getting  on  the  market  in 
two  year’s  time  is  in  the  R&D  lab  today  So 
we  need  to  influence  that  now,” 
Simmonds  says. 

Cummings  is  a  freelancer  in  North 
Andover,  Mass.  She  can  be  reached  at 
jocummings@comcast.  net. 


“YOU  NEED  TO  SAVE  15%  TO  20% 
OF  YOUR  TIME  TO  STEP  BACK  AND 
REALIGN  YOUR  RESOURCES  TO 
WHERE  THEY’LL  DO  THE  MOST 
GOOD  —  ON  THE  APPLICATIONS 

END.’  Paul  Simmonds,  ICI 
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bite!  Lessons  from  leading  users 


Grid  technology  aids  hospital's  diagnostics 


l 


■  BY  DENISE  DUBIE 

Doctors  often  need  to  balance  the  urgency  of  med¬ 
ical  conditions  with  performing  thorough  analy¬ 
sis  to  arrive  at  an  accurate  diagnosis.  Ideally  theyd 
like  to  do  both. 

Dr.  Eric  Bremer  at  Children’s  Memorial  Research  Cent¬ 
er  in  Chicago  turned  to  data  mining  and  grid  technolo¬ 
gy  to  help  his  organization  garner 
speedy  research  results,  while  also  per¬ 
forming  thorough  analysis.  With  nearly 
3,000  children  diagnosed  with  brain 
tumors  in  the  U.S.  each  year  and  more 
than  12  brain  tumor  types,  he  says  it’s 
critical  that  doctors  hit  the  right  diag¬ 
nosis  —  fast. 

Using  grid  technology  the  hospital’s 
director  of  the  Brain  Tumor  Research 
Program  was  able  to  reduce  the  time  it 
took  a  text-mining  application  to  run 
from  more  than  24  hours  to  just  less 
than  an  hour  and  20  minutes.  Aside 
from  tapping  internal  resources, 

Bremer  says  he  expanded  his  research 
capabilities  and  speeded  results  with¬ 
out  adding  significant  cost,  mainte¬ 
nance  and  IT  burdens. 

“Our  overall  goal  is  to  define  better 
diagnostics  and  therapies  for  kids  with 
brain  tumors.  We  wanted  to  lift  the 
human  barrier  to  working  with  such 
vast  amounts  of  data  within  realistic 
time  frames,”  he  says. 

Bremer  last  year  rolled  out  Lexi- 
Quest  Mine,  a  data-mining  application 
from  SPSS,  to  start  pulling  relevant 
information  out  of  125,000  document 
abstracts  from  21  medical  journals. 

With  more  than  five  years  of  research 
at  his  fingertips,  he  says  he  thought 
LexiQuest  Mine  would  help  him  more  quickly  classify 
brain  tumors  in  patients. 

The  software  lets  researchers  ask  questions,  extract 
concepts  and  relate  the  analysis  to  known  brain  tumor 
diagnosis  criteria  such  as  gene  lists.  LexiQuest  Mine 
helped  the  doctor  query  and  retrieve  documents,  but 
more  importantly  mine  the  text  for  concepts.  For  exam¬ 
ple,  the  analytics  software  understands  how  groups  of 
words  work  together  such  as  clinical  trial  vs.  failed  clin¬ 
ical  trial.  Text  mining  would  deliver  more  accurate 
results  than, say,  a  search  program. 

The  problem  with  the  software  is  that  it  took  more 
than  a  day  to  generate  some  results. 

“Initially,  I  thought  the  application  had  shut  down,  but 


that  is  just  how  long  it  took  to  process  the  request  from  a 
workstation,”  he  says.“I  quickly  realized  it  wasn’t  humanly 
possible,  even  with  this  application,  to  realistically  mine 
the  amount  of  data  I  needed  to  mine  for  research.” 

Bremer  then  considered  whether  other  technology 
could  help  advance  his  scientific  endeavor. 

“I  am  not  an  IT  professional, but  I  was  familiar  with  the 
notion  of  high-throughput  and  high-performance  com¬ 


puting  options,”  he  says. 

He  considered  grid  computing  an  alternative  to  invest¬ 
ing  in  high-end  servers.  Because  of  cost,  space  and 
potential  managerial  constraints,  he  wanted  to  better 
use  the  computing  power  he  had  in-house. 

With  the  help  of  SPSS,  Bremer  became  acquainted 
with  grid  computing  products  from  United  Devices. The 
application  provider  wanted  to  ensure  its  software  met 
the  specifications  the  doctor  required  and  offered  to 
grid-enable  the  application.  SPSS  had  been  a  node  on 
United  Devices’ worldwide  grid  since  2001. 

“The  application  has  different  modes  in  which  it  can 
run,  and  each  mode  has  a  process  that  is  a  series  of 
steps,  and  each  step  has  a  wrapper  around  it.  The  grid 


technology  can  grab  the  wrapped  step  and  send  it  to 
any  idle  processors  on  the  grid,”  explains  Catherine 
DeSesa,  system  engineer  at  SPSS.“Most  applications  that 
use  command-line  scripts  can  be  grid-enabled.” 

Working  with  professional  services  folks  from  SPSS 
and  United  Devices,  Children’s  Memorial  rolled  out  its 
pilot  of  United  Devices’  GridMP  Workstation  product  in 
October. 

The  software  consists  of  a  central 
Linux-based  server  and  agents  distrib¬ 
uted  to  Windows  machines  designated 
to  be  on  the  grid.  The  software  taps 
unused  and  idle  processor  time  on 
doctors’  and  researchers’  desktops  and 
laptop  computers.  Upon  a  user  request, 
the  server  software  will  parse  out  parts 
of  the  LexiQuest  Mine  application 
process  to  available  machines. 
The  machines  perform  their  part  of  the 
job  and  return  the  results  to  the 
GridMP  Server,  which  recompiles  the 
data  and  delivers  it  to  the  user  via  a 
Web  interface. 

Policies  defined  in  the  software  deter¬ 
mine  which  machines  can  be  used 
and  eliminate  the  need  for  the 
researcher  to  assign  the  jobs  to 
machines.  Yet  the  grid  has  its  limita¬ 
tions.  It’s  restricted  to  internal  PCs 
because  of  firewall  and  licensing 
issues,  Bremer  says. 

Bremer  started  with  about  18  desk¬ 
tops,  expanded  the  pilot  to  more  than 
25  end-user  machines  and  plans  to 
increase  it  to  more  than  100  in  the  next 
few  months. 

“We  get  through  a  lot  more  data  a 
lot  more  efficiently  now;”  he  says.  His 
team  was  able  to  define  data-mining 
workflows  and  automate  about  80% 
of  the  process  with  the  grid  in  place.  Bremer’s  not 
sure  the  other  20%  needs  to  be  automated  and  plans 
to  expand  its  use  to  more  applications. 

“The  best  result  of  the  grid  is  that  it  opened  our  eyes 
to  a  lot  more  ways  we  could  use  it,”  he  says.“We  lifted 
a  barrier  to  being  able  to  do  more  computationally 
intensive  experiments." 

While  Bremer  did  not  discuss  specifically  what  his 
organization  spent  on  the  grid  software,  he  says  he  was 
able  to  use  an  existing  Linux  server.  United  Devices 
says  its  GridMP  Workstation  product  can  start  at 
$50,000  and  scale  according  to  the  number  of  servers, 
agents  and  additional  components  purchased.  Pricing 
for  LexiQuest  Mine  starts  at  $60,000.  ■ 


\ 

Divide  and  conquer 


Children’s  Memorial  Research  Center  uses  grid  technology  to  split  the 
processing  load  of  a  text-mining  application  among  desktops  and  laptops 
and  is  able  to  get  speedier  results  to  further  pediatric  brain  tumor 


O  A  researcher  uses  a  Web  interface  to  begin  a  text-mining  application  process  on  the  application  server.  The 
researcher  specifies  the  data  to  be  found  in  more  than  124,000  medical  documents,  how  it  should  be  presented  and 
who  should  receive  it. 

©  Application  server  sends  the  job  to  the  GridMP  Server,  which  searches  the  grid  of  desktops  and  laptops  for  idle  processors, 
parses  the  text-mining  application  based  on  available  machines  and  distributes  the  job  to  end-user  devices  equipped  with 
agent  software. 

©  The  desktops  and  laptops  in  the  research  center’s  grid  process  their  part  of  the  job  and  send  the  text  mining 
results  to  the  GridMP  Server. 

©  The  GridMP  Server  waits  until  all  processing  is  done,  accepts  completed  jobs  from  grid  machines,  recompiles  the 
parts  of  the  text-mining  application  according  to  the  researcher’s  earlier  presentation  request  and  delivers  the 
results  via  the  application  server  to  a  Web  interface. 
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I  spoke  with  Microsoft’s  Stuart  Kwan  and 
Kim  Cameron  last  week  at  NetPro’s 
Directory  Experts  Conference.  Kwan  is 
the  director  of  program  management  for 


Tip  of  the  Week 


|  I’ll  be  saying  a  lot  more 
|  labout  Active  Directory, 

|  DEC,  Kwan  and  Cameron  in 
|  this  week’s  Identity  and 
I  Windows  networking  newslet¬ 
ters,  make  sure  you're  sub- 
|  scribed.  If  not,  head  to 
j  www.nwwsubscribe.com 
|  and  sign  up  now. 


Microsoft  getting  Active  Directory  right 


identity  and  access  in  the  Windows  Server 
group,  while  Cameron  is  identified  as 
“identity  architect”  —  that  means  emi¬ 
nence  grise,  or  the  guy  Kwan  can  blame 
for  the  really  bad  ideas. 

The  important  message  I  got  was  that 
(finally)  Microsoft  was  taking  identity  — 
and  Active  Directory  —  seriously  Well,  the 
company  is  taking  Identity  and  Access 
Management  seriously  and  to  do  that  it 
needs  to  give  priority  and  prominence  to 
Active  Directory  It’s  a  far  cry  from  1999 
when  Active  Directory  was  often  consid¬ 
ered  an  evil  —  albeit  a  necessary  evil  — 
adjunct  to  the  server  operating  system. 
Users  drove  the  change  in  priorities 
because  they  demanded  better  facilities 
to  support  federated  services,  regulatory 
compliance,  electronic  provisioning  and 
more  —  all  of  which  rely  on  the  directory 
as  platform. 

The  duo  outlined  the  road  map  for  the 
directory  going  forward.  First,  in  the 
upcoming  R2  release  of  Windows  2003 
Server  there  will  be  schema  extensions  in 
support  of  Unix  and  Linux  compatibility. 
Yes,  Microsoft  is  admitting  that  you  might 
have  some  non-Windows  platforms  in 


your  network  mix!  The  new  extensions  will 
facilitate  third  parties  (such  asVintela  and 
Centrify)  that  provide  authentication  ser¬ 
vices  to  non-Windows  platforms  but  have 
run  into  some  resistance  from  users  not 
wishing  to  do  ad  hoc  schema  extensions. 

There  are  big  plans  for  the  next  release  of 
Windows  server  (code  named  Longhorn), 
including  the  concept  of  Read-Only 
domain  controllers  (all  the  best  parts  of 
the  old  back-up  domain  controller  without 
the  headaches).  Because  Longhorn  also 
will  allow  you  granular  control  of  the  ser¬ 
vices  running  (including  such  anomalies 
as  a  command-line  driven  Windows  serv¬ 
er),  you’ll  be  able  to  build  a  minimalist 
domain  controller  with  few  other  services 
running  thus  minimizing  the  security  holes 
that  might  be  available. 

Two  huge  gains  for  IT  and  ID  managers 
to  come  in  the  Longhorn  release  are  the 
ability  to  differentiate  between  Domain 
Administrators  and  Domain  Controller 
Administrators  (for  much  better  security), 
and  a  resetable  Active  Directory  to  mini¬ 
mize  the  number  of  required  re-boots. 
Increased  security  and  less  downtime  are 
two  good  reasons  to  look  forward  to' 


Longhorn. 

Active  Directory  finally  is  taking  its  right¬ 
ful  place  as  the  platform  for  all  sorts  of  ser¬ 
vices  in  the  realm  of  identity  manage¬ 
ment.  It  finally  might  be  fulfilling  its 
promise. 

Kearns,  a  former  network  administrator,  is 
a  freelance  writer  and  consultant  in  Silicon 
Valley.  He  can  be  reached  at  wired@ 
vquill.com. 


More  online! 


Get  an  insider's  understanding  of  the  technological 
advances  that  are  below  the  radar  of  most  WAN 
watchers.  Attend  a  new  Network  World  Live  '05 
Technology  Tour  Event  that  delivers 
new  tools  and  real-world  solutions. 
DocFinder  6235 
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•  More  ports  shipped  than  all  of  our 
competitors  combined! 

•  Over  20  years  of  experience  in  the  industry! 

•  The  best  security  with  per  port  password 
protection,  RADIUS,  Secure  Shell  v2.0,  SNMP  V3, 
SecurlD,TACACS+,  PPP  PAP/CHAP,  PPP  dial-back, 
on-board  data-base  and  more! 

•  Integrated  secure  power  management  allows 
direct  power  control. 

•  Global  certifications,  including  NEBS  Level  3. 

•  The  largest  range  of  products  in  the  industry! 

(optional  optical  uplinks  available) 

MRV  console  servers  offer  a  highly-reliable,  eas 
to  manage  rich  set  of  features,  making  secur 
remote  management  of  IT  assets  possible  fror 
any  location. 
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or  call  us  at  1  -800-338-531 6 


It's  10am.  Do  you  know  where  your  employees  are? 


The  reality  could  be  quite  costly. 

But  how  can  you  install  enterprise-class  content  management  technology,  without  spending 
mountains  of  cash?  The  answer  is  SonicWALL®.  We  take  state-of-the-art  network  security  and  make 
it  simple,  affordable  and  reliable.  So  businesses  like  yours  can  stay  focused  on  business. 

Using  a  dynamic,  real-time  rating  architecture  and  a  comprehensive  database  of  sites  and  domains, 
our  Content  Security  Management  Solutions  give  you  total  control  over  Internet  access.  You  can 
easily  set  times  for  accessing  shopping,  banking  and  other  personal  Web  surfing  sites.  And 
advanced  analysis  and  reporting  give  real  insight  into  network  usage.  All  in  one  affordable, 
usable  package.  That's  the  SonicWALL  way. 

Stop  wondering  where  your  employees  are.  For  more  details  on  our  SonicWALL  Content  Security 
Management  Solutions,  visit  www.sonicwall.com/csm  or  call  us  at  1 .888.557.6642. 


Around  the  clock,  around  the  world,  and  around  the  Web- 

SonicWALL  is  there  for  you. 


Gateway  Anti-Virus  ■  Anti-Spyware  ■  Intrusion  Prevention  ■  Content  Security  ■  Secure  Wireless  ■  Firewall  ■  VPN. 
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THIS  EVENT  IS  COMING  TO  A  CITY  NEAR  YOU 


DALLAS,  TX  |  April  5,  2005  SAN  FRANCISCO,  CA  J  April  7,  2005 
WASHINGTON,  DC  |  April  12,  2005  NEW  YORK,  NY  |  April  14,  2005 
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Remote  Office  Networking: 

Bringing  the  Enterprise  Together 

join  james  Gaskin,  Principal,  Gaskin  Computer  Services,  and  leading 
solution  partners  for  this  Network  World  Technology  Tour  and  Expo 

Remote  Office  Networking  shows  you  how  to  satisfy  your  enterprise's  seemingly 
conflicting  demands  for  remote  office  networking  without  sacrificing  control,-  flexibility 
as  well  as  protection  from  hackers,-  more  user  productivity  while  lowering  costs  for 
supporting  far-flung  workgroups.  You'll  get  immediate-impact  ideas,  information  and 
options  that  will  reduce  your  remote  office  costs,  increase  your  core  security,  and 
maximize  your  management  efficiency.  All  while  building  an  integrated  remote  office 
network  that  unites  your  enterprise.  v 
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3Com 

Exercise  Choice " 

3Com  is  a  leading  provider  of  secure,  converged  voice  and 
data  networking  products  and  solutions  that  improve  business 
value  for  enterprises  of  all  sizes.  More  than  any  other  compa¬ 
ny,  3Com  brings  the  power  of  choice  to  enterprise  customers. 


Q  Internet  |  Security  |  Systems* 

Ahead  of  the  threat. 

Internet  Security  Systems  (ISS)  is  the  only  company  to  provide 
truly  pre-emptive  protection  that  shields  vulnerabilities  and 
blocks  attacks  before  they  disrupt  business  operations.  ISS 
delivers  proven  cost  efficiencies  and  reduces  regulatory  and 
business  risk  for  over  12,000  customers  worldwide. 


PRESENTING  SPONSORS 


Adirati 


ADTRAN's  NetVanta  solutions  are  designed  for  cost-effective 
branch  office  connectivity  and  include  routers,-  managed  Fast 
Ethernet,  Gigabit,  and  PoE  switches,-  VPN/firewall  devices  and 
an  industry  first  -  one  product  that  combines  a  managed  24- 
port  Ethernet  switch,  router  with  WAN  interface,  and  firewall, 
with  options  for  VPN  and  PoE,  all  in  a  single  lU  chassis. 

-RIVERBED 

Riverbed  optimizes  applications  for  wide  area  networks  by 
addressing  the  two  key  factors  that  slow  performance:  high 
latency  and  limited  bandwidth.  Riverbed  appliances  accelerate 
applications  up  to  100  times  and  expand  bandwidth  ten-fold, 
enabling  site  consolidation  of  distributed  infrastructure  without 
degrading  performance. 
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When  you’re  ready  to  take  control.™ 
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A  WE8SENSE  PARTNER 
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A  WEBSENSE  PARTNER 
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Remote  Office  Networking:  Bringingthe  Enterprise  Together 

Register  now  at  www.nwfusion.com/RONS5A1 
or  call  Dori  Smith  at  800-643-4668 

To  join  sponsors  of  this  premier  Network  World  Event,  or  to  find  out  more  about  onsite  company  training,  please  contact 
Andrea  D'Amato  at  1-508-490-6520  or  adamato@nww.com  for  free,  no-obligation  information 
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Offsite  security  complicates  compliance 


Auditing  outsourcers 


SAS  70  audits  have  been  around  for  awhile,  but  they’re  getting  closer 
scrutiny  as  public  companies  look  to  comply  with  Sarbanes-Oxley  (SOX) 
requirements. 

What  it  is:  SAS  70  is  an  auditing  standard  developed  by  the  American  Institute  of 
Certified  Public  Accountants  to  examine  the  system  and  security  controls  in  place  at 
a  service  organization  or  outsourcer. 

Who  gets  one:  Service  organizations  can  request  an  SAS  70  audit,  which  an  accounting 
firm  performs. 

Points  to  be  aware  of: 


SAS  70  audits  don’t  happen  overnight.  It  can  take  several  months  for  an  outsourcer 
to  go  through  the  process  of  defining  the  scope  of  an  SAS  70  audit  and  submitting 
to  testing  by  an  auditor. 

There’s  no  set  criteria  fortesting  in  an  SAS  70  audit.The  outsourcer  and  auditing 
firm  define  the  parameters  of  the  SAS  70  audit,  which  can  vary  from  firm  to  firm. 

Securing  SAS  70  audits  from  outsourcers  might  not  be  adequate  for  SOX  compliance. 
The  SAS  70  auditing  standard  predates  SOX  and  might  not  cover  all  the  controls 
that  SOX  addresses. 

Additional  documentation  might  be  required.  Companies  concerned  SAS  70  audits 
from  their  outsourcers  aren’t  sufficient  might  need  to  send  their  own  internal  and 
third-party  auditors  to  verify  in-place  processes  and  physical  conditions  at  their 
outsourcers’  sites  are  adequately  secure. 


■  BY  ANN  BEDNARZ 

Offsite  security  conditions  are  always  a 
factor  to  consider  when  a  company  enters 
an  outsourcing  deal,  but  regulatory  initia¬ 
tives  are  raising  the  stakes. 

IT  executives  need  to  ensure  service  pro¬ 
viders  have  proper  system  controls  in 
place  before  and  after  they  enter  into 
sourcing  and  hosting  arrangements,  ana¬ 
lysts  say  It’s  not  only  a  good  business  prac¬ 
tice,  it’s  also  increasingly  required  by  law 

One  law  putting  a  spotlight  on  outsourc¬ 
ing  deals  is  the  Sarbanes-Oxley  (SOX)  Act 
of  2002,  which  Congress  passed  in  the 
wake  of  accounting  scandals  at  firms  such 
as  Enron  and  WorldCom. 

SOX  has  IT  and  finance  departments 
working  closely  to  review  and  modernize 
companies’  financial  reporting  systems  to 
comply  with  its  regulations.  Of  particular 
concern  is  Section  404  of  the  legislation, 
which  calls  for  company  executives  and 
third-party  auditors  to  certify  the  effective¬ 
ness  of  internal  controls  —  technologies 
and  processes  put  in  place  to  preserve  the 


■  IBM  last  week  agreed  to  buy  data 
integration  software  maker  Ascen- 
tial  Software  for  about  $1.1  billion. 
AscentiaPs  products  are  used  to  build 
data  warehouses,  feed  data  into  busi¬ 
ness  intelligence  systems  and  consoli¬ 
date  enterprise  applications,  among 
other  things.  If  approved,  the  acquisi¬ 
tion  will  strengthen  IBM's  information 
integration  offerings,  the  company 
says.  After  the  proposed  acquisition, 
the  Westboro,  Mass.,  company  would 
become  a  business  unit  within  IBM’s 
Information  Management  software 
division.  AscentiaPs  products  would 
become  part  of  IBM’s  software  offer¬ 
ings  and  sold  through  IBM’s  and 
AscentiaPs  sales  channels  and  part¬ 
ners.  The  Ascential  Enterprise 
Integration  Suite  complements  IBM’s 
WebSphere  Information  Integrator 
products,  according  to  IBM.  Ascential 
has  more  than  3,000  customers.  IBM 
and  Ascential  have  more  than  550 
joint  customers. 


integrity  of  financial  reports. 

Doing  due  diligence  to  Section  404 
means  looking  into  conditions  at  outsourc¬ 
ing  and  hosting  providers’  sites,  where  sen¬ 
sitive  corporate  data  might  be  accessible, 
processed  or  stored.  That’s  where 
Statement  on  Auditing  Standards  (SAS)  70 
comes  in. 

SAS  70  is  an  auditing  standard  developed 
by  the  American  Institute  of  Certified 
Public  Accountants  for  service  organiza¬ 
tions.  It  prescribes  a  method  for  an  auditor 
to  examine  control  activities  at  a  service 
organization  or  outsourcing  firm. 

There  are  two  types  of  SAS  70  audits.  A 
Type  1  audit  focuses  on  general  controls  at 
a  single  point  in  time  and  doesn’t  include 
testing  by  auditors.  A  Type  2  audit  is  more 
intensive  —  and  more  appropriate  for  SOX 
compliance.  It  looks  at  conditions  over  a 
prolonged  period  of  time,  and  auditors  per¬ 
form  testing  to  verify  the  effectivene&s  of 
controls  at  service  organizations. 

SOX  compliance  efforts  have  elevated 
interest  in  the  auditing  standard,  which  has 
been  around  since  1992.  “We  are  doing  a 
lot  more  SAS  70s  lately?’  says  Ed  Byers,  a 
principal  at  Deloitte  &  Touche. 

Outsourcers  agree  that  users  are  begin¬ 
ning  to  ask  for  SAS  70  audits.“It  was  some¬ 
thing  our  customers  were  looking  forf  says 
John  Engates,  CTO  at  Rackspace  Managed 
Hosting. 

Ernst  &Young  recently  concluded  an  SAS 
70  Type  2  audit  for  the  San  Antonio  man¬ 
aged  hosting  provider.  The  audit  covered 


■  BY  JOHN  FONTANA 

Microsoft  has  taken  another  crack  at 
evolving  its  business  applications,  and  this 
means  that  corporations  could  have  a 
more  flexible  upgrade  path  as  the  vendor 
tries  to  integrate  its  wares  over  the  next 
three  years  and  keep  pace  with  rivals. 

The  news  for  corporate  users  is  they 
won’t  have  to  rip  and  replace  their  current 
Microsoft  Business  Solutions  applications 
— Axapta, Great  Plains, Navision, Solomon 
and  Microsoft  CRM.  Instead, they  will  see  a 
series  of  upgrades  that  will  introduce 
common  features  across  the  platform, 


controls  related  to  service  delivery  and 
operations,  infrastructure  maintenance, 
change  management,  back-up  processes, 
and  logical  and  physical  data  center 
access,  Engates  says. 

Rackspace  underwent  the  audit  at  the 
request  of  some  of  its  largest  customers, 
which  are  facing  SOX  Section  404  dead¬ 
lines,  Engates  says.  Section  404  says  corn- 


including  interface  design,  development 
tools;  and  integration  points  such  as  SQL 
Server,  SharePoint  Pbrtal  Server,  Off  ice  and 
Longhorn. 

Microsoft  recently  unveiled  its  new  road 
map  at  its  Convergence  2005  conference  in 
San  Diego. 

As  part  of  the  plan,  Microsoft  also  extend¬ 
ed  support  for  business  applications  from 
three  years  to  five  so  users  can  stay  on  a 
given  version  longer  before  upgrading. 

Experts  say  Microsoft’s  plan  is  twofold: 
One  is  to  address  user  migration  concerns, 
and  the  other  is  to  catch  up  to  rivals  in  the 
See  Microsoft,  page  28 


panies  must  prepare  reports  —  to  accom¬ 
pany  their  annual  reports  filed  with  the 
Securities  and  Exchange  Commission  — 
assessing  the  effectiveness  of  their  internal 
control  structures  and  financial  reporting 
procedures.  Section  404  deadlines  are  stag¬ 
gered  and  begin  this  spring. 

“They  really  need  some  assurance  that 
the  controls  that  are  in  place  outside  of  the 
walls  of  their  companies  are  as  effective  as 
the  controls  inside  their  companies,”  he 
says. 

At  the  same  time,  Rackspace  benefits 
from  having  gone  through  a  formal  process 
to  analyze  and  document  its  internal  con¬ 
trols.  “It  put  a  spotlight  on  our  documenta¬ 
tion  and  the  formalization  of  our  policies 
and  processes,”  Engates  says. 

Securing  SAS  70  certification  requires  a 
commitment  —  of  personnel  and  budgets 
—  on  the  outsourcing  providers’  part.  At 
Rackspace,  the  certification  process  took 
almost  one  year,  from  the  early  stages  of 
defining  the  scope  of  the  audit  to  the  full¬ 
blown  testing  of  controls. 

Sierra  Atlantic  will  spend  about  $25,000 
to  achieve  SAS  70  certification  this  year, 
says  Marc  Hebert,  executive  vice  president 
at  the  Fremont, Calif., company  which  offers 
a  range  of  offshore  application  services. 
Sierra  Atlantic  is  in  the  process  of  securing 
SAS  70  Type  2  certification. 

See  SAS  70,  page  23 
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In  mid-March,  the  George  Washington 
University-based  National  Security  Arch¬ 
ive  (www.gwu.edu/~nsarchiv)  added  to 
its  already  impressive  collection  of  National 
Security  Agency-related  documents.  The 
most  recent  addition  is  the  December  2000 
“Transition  2001”  document  provided  to  the 
then-incoming  Bush  administration.  This 
document  recommends  that  the  agency 
get  even  deeper  into  the  network  monitor¬ 
ing  business  and  makes  for  quite  interesting 
reading,  particularly  since  it  is  reasonable  to 
assume  that  equivalent  documents  were 
created  by  intelligence  agencies  in  other 
parts  of  the  world. 

The  documents  in  the  archive  cover 
many  issues,  which  include  the  full  history 
of  the  National  Security  Agency  and  extend 
from  1950  to  2002  (www.nwfusion.com, 
DocFinder  6329).  As  you  might  expect, 
Transition  2001  (DocFinder:  6330)  has  been 


Just  doing  its  job 


redacted,  but  far  less  than  I  would  have 
expected.  (By  the  way  the  National  Security 
Agency  at  least,  has  learned  from  the  work 
of  Claire  Whelan  —  redacting  is  now  done 
with  white  boxes  that  overlap  the  text  (see 
DocFinder:  6331). It’s  fun  to  speculate  that  if 
the  National  Security  Agency  took  the  op¬ 
portunity  of  having  to  produce  this  docu¬ 
ment  to  redact  selectively  to  make  some 
points,  for  example,  clarifying  that  it  has  lost 
employees  at  a  time  when  it  wants  more 
responsibility 

A  few  major  points  in  the  document: 

•  The  agency  is  ready  to  deal  with  the 
explosion  in  global  communications  but  to 
do  so  “demands  a  policy  recognition  that 
NSA  will  be  a  legal  but  also  a  powerful  and 
permanent  presence  on  a  global  telecom¬ 
munications  infrastructure  where  protect¬ 
ed  American  communications  and  target¬ 
ed  adversary  communications  will  coexist.” 

•  The  National  Security  Agency  must  “live 
on  the  network”  to  deal  with  the  new  world 
of  wireless-  and  fiber-based  data  communi¬ 
cations  networks  but  “the  NSA  can  perform 
its  missions  consistent  with  the  Fourth 
Amendment  [of  the  U.S.  Constitution]  and 
all  applicable  laws.” 


•  The  agency’s  mission  “means  seeking 
out  information  on  the  Global  Net,  using  all 
available  access  techniques,  breaking 
often-strong encryption ...” 

•  The  new  telecom  world  leaves  U.S.  net¬ 
works,  both  public  and  private  sector,  vul¬ 
nerable.  But  the  document  doesn’t  spend 
all  that  much  time  discussing  this.The  doc¬ 
ument  also  mentions  that  the  National 
Security  Agency  suffered  a  three-and-a-half- 
day  network  outage  in  January  2000,  hardly 
something  I  expected  to  read  here  (unless 
it  already  had  been  reported  —  if  so,  I 
missed  it). 

It  might  not  be  entirely  coincidental  that 
the  National  Security  Agency  in  mid- 
February  leaked  the  fact  that  the  Bush 
administration  is  thinking  of  making  the 
agency  just  the  kind-of  “traffic  cop”  that  it 
asked  to  be  in  Transition  2001  (DocFinder: 
6332).  It  sure  would  be  good  to  get  some¬ 
one  in  government  to  pay  attention  to  the 
security  of  government  agencies,  consider¬ 
ing  they  were  judged  to  deserve  no  better 
than  a  D+  last  year  (DocFinder:  6333). 

Maybe  the  National  Security  Agency  can 
help  (see  www.nwfusion.com,  DocFinder: 
6334).  For  now,  I’ll  take  it  at  face  value  that 


the  National  Security  Agency  will  take 
pains  to  adhere  to  the  law  and  that  the  laws 
that  the  agency  pays  attention  are  the  laws 
we  know  about.  (But  I  will  note  that  the 
face  of  the  agency  is  not  all  that  clear.) 

I  assume  that  most  other  major  countries 
have  similar  plans,  but  might  lack  a 
Freedom  of  Information  Act  to  make  that 
fact  known.  So  maybe  it’s  time  to  start  pro¬ 
tecting  communications  that  you  or  your 
company  would  rather  not  have  become 
general  knowledge  in  world  government 
circles,  and  maybe  also  in  industry  circles 
with  good  government  contacts.  Take  a 
look  at  the  technology  at  www.gnupg.org, 
which  I’ve  been  told  is  what  organizations 
like  the  National  Security  Agency  use  in 
house  to  foil  competitors  in  its  line  of 
business. 

Disclaimer:  Foiling  competitors  in  the 
higher-ed  business  means  being  better,  not 
stealthier.  Harvard  hasn’t  expressed  a  view 
on  the  National  Security  Agency’s  self-opin¬ 
ion,  and  the  above  is  mine. 

Bradner  is  a  consultant  with  Harvard 
University’s  University  Information  System. 
He  can  be  reached  at  sob@sobco.com. 
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developing  Web  services  world. 

Microsoft’s  original  upgrade  plan, 
dubbed  Project  Green,  would  have  been  a 
replacement  for  current  applications,  but 
the  company  is  replacing  the  glitz  of  that 
makeover  with  a  more  pragmatic  plan, 
analysts  say.  The  company  also  has  aban¬ 
doned  its  boastful  prediction  from  just 
more  than  a  year  ago  that  it  would  grow  its 
Business  Solutions  Group  to  $10  billion  in 
revenue  by  2011. 

“Project  Green  shook  up  partners  and 
customers  pretty  seriously’  says  Chris  Alli- 
egro.an  analyst  at  Directions  on  Microsoft. 
“If  you  had  made  investments  in  existing 
product  lines,  you  were  looking  at  poten¬ 
tially  an  uncertain  future.  You  ask, ‘Can  I 
move  to  new  products  or  am  I  looking  at 
a  costly  data  migration  process?’” 

Microsoft’s  plan  now  is  to  build  com¬ 
mon  elements  between  applications  such 
as  developing  50  role-based  templates  for 
creating  stock  interfaces  for  specific  users 
such  as  shipping  clerks  or  procurement 
managers.  The  plan  also  is  to  integrate 
common  portal  technology  based  on 
SharePoint  Portal  Server,  add  support  for 
SQLServer  Reporting  Services, and  ship  in 
2006  a  common  user  interface  that  incor¬ 
porates  similar  navigation,  buttons  and 
forms. 

In  addition,  Microsoft  says  it  plans  to  cre¬ 
ate  a  common  Web  services  layer  based 
on  technology  it  is  developing  in  Long¬ 
horn  called  Indigo  that  will  let  users 
expose  the  business  logic  from  Microsoft 
business  applications  as  services  within  a 
service-oriented  architecture  (SOA). 

Those  features  will  be  part  of  what 


Microsoft  is  calling  Wave  One  of  Project 
Green. 

“The  thing  that  they  can  do  is  bring  for¬ 
ward  what  they  call  the  user  experiences,” 
says  Joshua  Greenbaum,  of  Enterprise 
Applications  Consulting.“They  can  use  the 
extraordinary  familiarity  that  the  world 
has  with  Office  and  Outlook  and  drive  a 
lot  of  functionality  through  that  user  expe¬ 
rience.  That  is  something,  when  you  look 
at  the  synergy  that  the  Business  Solutions 
Group  can  have  with  the  rest  of  Microsoft, 
that  really  is  extraordinary  and  that  is 
where  the  potential  gets  mind-boggling.” 

Of  course,  Microsoft  isn’t  the  only  one 
with  that  idea.  Rivals,  such  as  SAP  are  look¬ 
ing  to  bring  Office  and  Outlook  to  the 
front  end  of  their  platforms. 

In  Wave  Two,  which  is  scheduled  to 
begin  in  2008,  Microsoft  plans  to  add  mod¬ 
eling  tools  for  developers  to  map  out  a 
company’s  business  processes  and  work- 
flows,  and  adapt  the  business-logic  Web 
services  to  those  models. 

Some  experts  say  the  rivals  are  fueling 
Microsoft’s  strategy  change. 

“There  is  a  heightened  sense  within  Mi¬ 
crosoft  that  the  real  competition  going  for¬ 
ward  is  SAP  and  Oracle  and  to  a  lesser  ex¬ 
tent  IBM,”  says  Bruce  Richardson,  senior 
vice  president  of  research  at  AMR  Re¬ 
search.  “When  Microsoft  hears  about  SAP 
building  open  business-process  platforms 
or  hears  about  Oracle’s  Project  Fusion, 
they  realize  they  need  to  get  a  bit  more 
aggressive  on  the  marketing  side  and  talk 
about  their  plans  for  SOAs. 

Microsoft  officials  say  the  change  in 
Project  Green  merely  reflects  the  hope 
of  arriving  at  its  goals  without  tearing  up 
the  entire  road  that’s  already  been  laid 
down.B 
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Like  Rackspace,  Sierra  Atlantic  decided 
to  pursue  SAS  70  certification  because  of 
customer  demand,  Hebert  says. 

In  general,  there’s  a  tendency  for 
companies  to  secure  more  SAS  70  certifi¬ 
cations  from  outsourcers  than  are  need¬ 
ed,  Byers  says.  “Companies  are  so  scared 
about  Sarbanes-Oxley  they  want  to  audit 
everything,”  he  says. 

There’s  confusion  over  when  an  SAS  70 
audit  is  required  and  when  it  isn’t  —  par¬ 
ticularly  when  it  comes  to  smaller  service 
providers  that  might  not  have  the  neces¬ 
sary  controls  in  place,  Byers  says. 

The  most  common  scenario  that  would 
require  a  company  to  secure  an  SAS  70 
audit  from  its  service  provider  is  when  the 
company  outsources  application  process¬ 
ing  such  as  payroll.  “If  you  outsource  a 
transaction  process  like  payroll,  then  you 
probably  want  an  SAS  70  —  because  the 
control  is  at  the  service  provider]’  Byers 
says. 

But  not  every  outsourcing  arrangement 
necessitates  an  SAS  70.  For  example,  a 
company  that  uses  contract  employees 
from  an  IT  service  provider  to  help  man¬ 
age  its  applications  probably  doesn’t  need 
an  SAS  70  from  the  service  provider 
because  control  over  the  systems  remains 
internal. 

Likewise,  if  a  company  uses  an  out¬ 
sourcer  for  certain  application  develop¬ 
ment  activities  but  retains  control  over  ap¬ 
plication  testing  and  change  control,  an 
SAS  70  might  not  be  required. “If  manage¬ 
ment  is  providing  all  the  control, you  don’t 
need  to  have  an  audit  of  the  service 
provider]’  Byers  says. 


Some  arrangements  are  particularly 
cloudy  about  SAS  70  requirements.  In  a 
hosting  arrangement,  it’s  important  to 
determine  who  has  control  over  updates 
to  an  application,  Byers  says.  Additionally 
even  if  a  company  retains  control  over 
application  testing  and  updates,  an  SAS  70 
audit  might  be  required  to  assess  physical 
and  environmental  controls  at  the  service 
provider’s  site,  Byers  says. 

Even  if  an  SAS  70  audit  has  been  com¬ 
pleted,  it  might  not  be  adequate  for  SOX 
compliance,  Meta  Group  says.  The  SAS  70 
standard  was  developed  long  before  SOX 
regulations  and  doesn’t  necessarily  focus 
on  the  type  of  controls  that  SOX  requires, 
according  to  the  research  firm. 

There’s  no  standard  prescription  for 
what  is  covered  in  an  SAS  70  audit,  Byers 
agrees.  A  service  provider  typically 
defines  the  control  objectives  and  activi¬ 
ties  covered  in  an  SAS  70  audit  of  its 
operations.  “An  SAS  70  can  include  as 
much  or  as  little  as  a  service  provider 
wants.  It’s  not  a  standardized  audit 
report,”  Byers  says. 

Because  the  comprehensiveness  of  SAS 
70  audits  varies,  it’s  up  to  the  contracting 
company  and  its  auditors  to  assess  a  ser¬ 
vice  provider’s  SAS  70  for  completeness 
and  adequacy 

“Since  the  SAS  70  isn’t  standardized,  you 
need  to  assess  its  completeness,”  Byers 
says.  “Does  it  cover  all  your  general  com¬ 
puter  controls?  Does  it  cover  applicable 
business  process  controls  via  the  applica¬ 
tion  controls?”  In  theory,  a  service  provider 
could  exclude  areas  from  an  SAS  70  audit 
where  it  knows  it’s  vulnerable.  But  that’s 
not  typical,  Byers  says.  In  general,  SAS  70 
audits  have  become  more  comprehensive 
in  light  of  SOX,  he  says.  ■ 
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■  BY  BETH  SCHULTZ 

Everyone  says  they  want  to  automate  security  func¬ 
tions,  but  few  have  done  so  fully  This  is  true  even  of  the 
most  mature  security  automation  functions,  such 
as  intrusion  detection,  patch  management  and 
vims  protection.  Alerts  are  automated,  but  more 
often  than  not,  responses  aren’t.  The  results  of  a  recent 
security  survey  conducted  for  Network  World  by 
AFCOM,an  association  of  enterprise  data  center  managers,  cer¬ 
tainly  bear  this  out. 

In  that  survey  99%  of  157  total  respondents  identified  the  need  to  automate  security  functions  as  a  “mod¬ 
erately  important”  or  “critical”  corporate  strategic  value  (see  related  information,  page  8).  But  only  14%  of 
respondents  said  they  automate  responses  for  most  types  of  alerts.  The  largest  percentage  —  44%  of  the 
respondents  —  reported  handling  all  security  alerts  manually  with  another  42%  automating  responses  to 
only  a  few  types  of  alerts.  What’s  more,  when  it  comes  to  managing  security  information,  the  largest  per¬ 
centage  —  36%  —  rely  on  vendor  point  products  rather  than  an  integrated  management  platform. 

However, progress  is  being  made  on  the  security  integration  front, as  28%  report  that  they  do  integrate  into 
a  systems  manager;  22%  integrate  into  a  security  manager  (14%  indicated  they  do  something  other  than 
run  vendor  point  products  or  integrate  into  either  a  systems  or  security  management  platform). 

Enterprise  security  won’t  ever  be  100%  automated  —  trust  and  cost  are  two  factors  prohibiting  full 
automation.  But  security  must  become  automated  substantially  enough  as  to  become  part  of  normal  busi¬ 
ness  operations. 

Bringing  that  about  means  making  security  automation  a  core  new  data  center  component.  Security 
functionality  must  be  embedded  in  the  network  layer,  for  example, and  companies  must  be  willing  to  build 
security  operations  centers  (SOC).  Similar  in  concept  to  a  network  operations  center,  an  enterprise  SOC 
continuously  monitors  and  manages  a  range  of  security  devices  and  events  to  maintain  and  ensure  over¬ 
all  network  security 

This  supplement  explores  these  and  other  best  practices  for  getting  security  to  a  more  automated  state.  I 
hope  we’ll  soon  see  less  of  a  disconnect  between  the  security  automation  ideal  and  today’s  reality 

—  Beth  Schultz 

Editor,  Signature  Series 
bschultz@nww.com 


A  look  ahead  to  the  other  pieces  of  the 
2005  New  Data  Center  series: 
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Isn’t  that  th( 
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After  all,  just 
any  security  p 
Firewalls,  inti 


can  be  automat* 

i  detection  systems  and  anti-virus  software 
scan  and  sniff  network  traffic  and  comput¬ 
ers  for  known  signatures  of  attacks,  viruses 
and  worms.  Vulnerability  management  sys¬ 
tems  find  and  patch  holes,  so  malware  can’t 
exploit  them.  Remote  access  managers 
sandbox,  scan  and  sanitize  endpoints  before 
allowing  network  access.  And  security  mam 
agers  get  to  view  ail  of  this  and  more  from  a  cen¬ 
tral  monitoring  station. 

OK,  maybe  it  isn’t  an  integrated  monitoring  station  but 
h  rather  a  bunch  of  monitoring  stations  kludged  into  one 
L  console  by  a  security  administrator.  That's  the  nature  of 
H  the  beast,  too. The  inability  of  different  security  products 

M  to  share  network  and  security  information  limits  secu- 
Wk  rity  automation.  Limitations  appear  elsewhere,  too.  For 

5l  ft  example,  intrusion-prevention  systems  (IPS)  lack  the 
'  intuition  to  know  the  difference  between  a 
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The  automation  imperative 

Security  automation  has  clearly  become  an  IT  mandate,  with  anti-virus  protection, 
intrusion  detection  and  prevention,  and  patch  management  the  primary  concerns, 
according  to  157  IT  professionals  who  participated  in  a  membership  survey  conducted 
by  AFCOM,  an  association  of  enterprise  data  center  managers,  on  Network  World’s 
behalf. 


How  important  is  security  automation  to 
your  company’s  overall  IT  strategy? 


1% 

Not  at  all 
important 


Which  of  the  following  technologies  do  you  expect 
to  be  fully  automated  within  your  company  within 
the  next  18  months? 

(Number  of  respondents) 


Access  rights  and  identity  management 

■(■■■so 

Compliance  with  corporate  security  policy 
Vulnerability  assessment  and  management 

41 

Content  compliance 


More  online!  Head  to  Network  World  Fusion  for  results  of  the  entire  security  automation  survey, 
Use  www.nwfusion.com,  DocFinder: 
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Christmas  rush  and  a  denial-of-service  attack, 
which  is  why  companies  use  intrusion  prevention 
sparingly  or  not  at  all.  There’s  no  way  a  security 
tool  will  ever  be  able  to  set  policies  aligned  to 
your  business’  unique  characteristics. 

Suffice  it  to  say, security  will  continue  to  become 
automated,  but  will  never  fully  replace  human 
perception,  intuition  and  intervention.  “You  can 
build  automated  security  models  in  a  way  to 
detect  problems,  establish  countermeasures  and 
alert  a  human,  who  can  then  build  a  filter  or 
countermeasure  to  protect  against  that  issue,” 
summarizes  John  Pironti,  enterprise  architect  and 
security  consultant  at  Unisys.  “In  this  way,  there 
will  always  be  a  symbiotic  relationship  between 
humans  and  computers.” 

Know  your  business 

Intrusion  detection,  anti-virus,  firewalls  and  anti¬ 
spam  are  fairly  mature  when  it  comes  to  automa¬ 
tion  —  meaning  human  intervention  is  minimized. 
While  these  tools  needed  manual  updates  and  ex¬ 
cessive  filtering,  they  now  essentially  run  them¬ 
selves,  by  automatically  updating  their  signature 
files,  blocking  worms  and  viruses,  scanning  and 
parsing  datastrearns,  and  looking  deep  into  pack¬ 
ets  to  detect  bad  behavior,  says  Vick  Wheatman, 
vice  president  of  security  practices  at  Gartner. 
Reaching  that  level  of  maturation  takes  five  to  10 
years,  analysts  say 

They  point  to  security  information  aggregation 
and  identity  management  as  two  technologies  at 
the  other  end  of  the  maturation  spectrum.  This 
means  we  won’t  see  mature  automation  of  these 
disciplines  until  2010  or  beyond. 

But  don’t  just  look  to  product  trends  to  measure 
automation,  says  Robert  Garigue,  vice  president 
and  chief  information  security  officer  at  Bank  of 
Montreal  Financial  Group.  Instead,  organizations 
should  focus  on  how  security  aligns  with  best  prac¬ 
tices  and  how  it  can  be  automated  to  the  point  that 
it  moves  from  just  security  into  the  normal  opera¬ 
tions  of  the  business,  he  says. 

“Stand  above  the  products,  above  the  architec¬ 
ture,  and  look  at  the  evolutionary  process  of  where 
automation  has  happened,”  says  Garigue,  a  fre¬ 
quent  speaker  on  security  maturation  frameworks. 
“For  example,  firewalls  are  routine  and  so  have 
become  embedded  in  our  network  infrastructures. 
Patch  updates  and  data  quality  have  moved  from 
exception  management  to  normal  operation.” 

When  automated  security  becomes  routine, secu¬ 
rity  teams  gain  the  freedom  to  deal  with  new  risks 
and  emerging  policy  issues.“Now  we  can  focus  on 
service-oriented  architectures,  digital  rights  man¬ 
agement,  identity  management,  and  other  emerg¬ 
ing  security  issues  that  need  best  practices  before 
they  can  be  automated,”  he  says. 

In  highly  regulated  industries,  best  practices 
and  security  automation  go  hand  in  hand. This  is 
particularly  true  when  it  comes  to  proving  who’s 
accessed  sensitive  data  and  what  events  are  hap¬ 
pening  on  network  segments  where  sensitive 
data  resides,  says  Bernie  Donnelly,  vice  president 
of  quality  assurance  at  the  Philadelphia  Stock 
Exchange. 

“I  was  looking  at  security  automation  back  in  the 


’70s  when  I  had  to  prove  the  same  things  three  times 
to  internal  audit,  external  audit  and  [Securities  and 
Exchange  Commission]  regulators,”  he  says. 

Over  the  years,  as  the  Exchange  diversified  its 
trading  system  platforms,  mainframe  access  con¬ 
trols  no  longer  provided  the  audit  trail  regulators 
required.  The  new  systems  provided  reams  of 
report  data  that  Exchange  personnel  needed  to  sift 
through  just  to  get  at  the  information  in  which  reg¬ 
ulators  were  interested,  Donnelly  says. 

“We  have  all  this  log  information,  but  from  a  secu¬ 
rity  perspective,  we’re  only  interested  in  who’s  try¬ 
ing  to  get  in  and  who’s  trying  to  go  where  they’re 
not  supposed  to,”  he  says. 

So  to  prevent  duplication  of  security  and  system 
expertise,  the  audit  committee  and  security  depart¬ 
ment  created  committees  at  the  system  and  senior 
management  levels.  The  committees  then  worked 
on  ways  to  sort  the  data  to  find  the  exceptions  to  the 
company’s  audit  and  risk  management  policies, 
Donnelly  says.  Ultimately,  the  security  team  built  fil¬ 
ters  to  sift  data  coming  from  network  and  security 
logs.  They  installed  Consul’s  InSight  Security 
Manager  to  manage  events  and  provide  an  audit 
trail  of  internal  activity  across  the  mainframe,  Unix 
and  messaging  servers  that  make  up  the  trading 
infrastructure. 

“We  wanted  one  system  to  bring  this  information 
together.  So  we  worked  with  Consul  because  it’s  an 
offshoot  of  IBM  [Remote  Access  Control  Facility] , 
which  we  still  use  in  our  environment.  Consul  gath¬ 


ers  data  from  all  three  of  our  platforms  into  a  cen¬ 
tral  server,  which  we  can  query  using  a  single  lan¬ 
guage,”  Donnelly  says. 

Note  that  at  the  Exchange,  as  elsewhere,  the  pro¬ 
cess  of  narrowing  the  information  down  to  man¬ 
ageable  levels  called  for  manually  building  filters. 
The  human  is  still  involved  in  querying  the  data  to 
get  to  the  important  information. 

“There  are  hundreds  of  potential  information  re¬ 
sources  to  draw  security  information  from.  The 
problem  is  narrowing  it  down  from  the  99%  you 
don’t  care  about  to  the  1%  that  you  do,”  says  Chris 
Byrnes,  vice  president  of  security  practices  at  Meta. 

The  key  to  automating  security  event  manage¬ 
ment  is  figuring  out  your  sources  and  managing 
them  down  to  a  stream  of  information  that  is  actu¬ 
ally  useful,  then  applying  some  automated  correla¬ 
tion  and  analysis,  he  continues.  Even  correlation 
and  analysis  can’t  be  fully  automated  because  only 
the  enterprise  owners  know  what  questions  to  ask 
the  analysis  engines. 

“If  you  know  what  questions  to  ask  these  tools, 
they  can  provide  you  with  answers.  But  you  have  to 
know  what  you’re  looking  for  and  you  have  to 
specify  the  correlation  rules.  Right  now,  the  vendors 
haven’t  done  that  in  a  way  that’s  useable  in  multi¬ 
ple  installations,”  Byrnes  says. 

Furthermore,  security  information  management 
(SIM)  tools  fail  to  take  advantage  of  information 
already  on  the  network  —  unless  that  information 

See  Auto,  page  S10 
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comes  from  a  product  or  system  developed  or  sup¬ 
ported  by  the  SIM  vendor.  So  gathering  this  infor¬ 
mation  for  deeper  correlation  and  analysis  usually 
means  adding  nodes  and  in-line  devices  all  over 
the  network. 

“This  is  happening  in  both  the  wired  and  wire¬ 
less  spaces.  It’s  the  battle  for  the  security  man¬ 
agement  console,”  says  Diana  Kelley,  executive 
security  adviser  for  Computer  Associates.“If  we’re 
going  to  automate,  it  has  to  be 
integrated  and  open.  We  have  to 
be  able  to  take  information  off 
IDS,  firewalls  and  other  reporting 
mechanisms  in  the  enterprise, 
regardless  of  vendor.  And  for  that, 
we  need  standards.” 

Look  to  standards 

For  the  past  two  years,  CA  has 
been  working  with  the  IETF’s  Open 
Security  Exchange  to  develop  a 
common  way  of  identifying  and 
sharing  security  event  information 
across  multiple  brands  and  types 
of  devices.  The  Open  Source  Vul¬ 
nerability  Database,  started  at  DEFCON  in  August 
2002, to  share  common  vulnerability  definitions 
among  vulnerability  management  systems  is  also 
available.  And  the  IETF’s  venerable  SNMR  which 
network  management  vendors  have  been  using  for 
decades,  remains  a  must-have  in  the  enterprise. 

Coast  Capital  Savings  is  banking  its  security  man¬ 
agement  future  on  SNMP  The  Surrey  B.C.,  credit 
union,  with  2,000  users  in  50  retail  operations,  is 
rapidly  expanding  across  Canada  through  merg¬ 
ers,  acquisitions  and  new  construction. To  support 
the  company’s  aggressive  growth, Andrew  Banman, 
senior  system  engineer,  is  developing  a  “branch  in 
a  box”  template  to  get  branches  up  and  running 
with  standardized  security  manageable  at  a  single 
console. 

“We  need  to  come  up  with  standards  and  boiler¬ 
plate  methodologies,  tools  and  gear  to  support 
manageability  that  won’t  go  out  of  date  in  a  couple 
of  years,”  Banman  says.“The  tools  to  do  this  are  com¬ 
plex.  The  implementation  is  complex.  So  you  need 
to  step  back  and  carefully  plot  a  course.” 

Banman’s  team  is  working  out  an  ambitious  two- 
year  plan  to  unify  all  security  and  management  in¬ 
formation  using  SNMPAlready,  the  team  uses  the 
FirePass  SSL  VPN  box  by  F5  Networks  to  check  the 
security  integrity  of  remote  machines  against  the 
company’s  security  policy  before  allowing  user  ac¬ 
cess  to  the  data  center. 

For  its  custom  banking  applications,  the  team  is 
writing  SNMP  traps  to  track  errors.  And,  from  an 
infrastructure  perspective,  it’s  working  with  Cisco 
and  3Com  to  secure  voice,  video  and  data  on  the 
same  stream. 

“Monitoring  all  this  data  can  become  a  huge 
nightmare.  We’ll  buy  where  we  can,  write  what  we 
can, and  use  SNMP  management  to  help  unify  it  all,” 
Banman  says. 

Leverage  your  infrastructure 

Until  all  standards  are  as  mature  as  SNMP  collect¬ 
ing  and  correlating  security  information  from  dis¬ 


parate  devices  continues  to  be  an  expensive  and  dif¬ 
ficult  undertaking. 

Enter  the  attempts  to  integrate  security  manage¬ 
ment  into  switch  management  platforms:  3Com 
plans  to  integrate  IPS  technology  acquired  from 
TippingPbint  Technologies  early  this  year,  Cisco  last 
year  introduced  its  self-defending  network  concept 
of  secure  access,  IPS  and  security  monitoring,  and 
Enterasys  Networks  offers  integrated  anti-virus  and 
policy  management. 

The  University  of  North  Carolina  in  Chapel  Hill  has 
embraced  Enterasys’  security  management  prod¬ 


ucts  to  block  viruses  or  attacks  at  the  switch  ports  — 
a  function  the  university  gets  without  having  to  in¬ 
stall  a  node  on  each  of  its  3,500  switches  and  65,000 
endpoints. 

When  a  hack  or  viral  activity  is  detected  on  a 
specific  port,  Enterasys  Netsight  Atlas  Console  puts 
that  computer  into  a  remediation  state  until  the 
computer  is  repaired, says  Mike  Hawkins, associate 
director  of  data  networking  at  UNC.  UNC  uses  Net- 
sight  Policy  Manager  to  push  traffic-blocking  poli¬ 
cies  out  to  the  edge  switches  in  response  to  an 
ongoing  threat. 

Combined,  the  products  significantly  reduce  the 
chance  that  malware  might  spread  throughout  the 
network,  Hawkins  says.  “It  takes  less  than  a  minute 
to  stop  an  evil-doer.  And  with  Netsight  Policy 
Manager,  we  can  respond  in  minutes  to  an  ongoing 
threat,”  he  says. 

Determining  where  on  the  network  —  say  the 
switches  or  routers  —  to  take  advantage  of  the  ven¬ 
dor  security  management  capabilities  means  setting 
objectives,  Meta’s  Byrnes  advises.  “You  need  to  ask 
yourself  what  data  you  most  need  to  protect,  what 
sources  of  information  you’ll  need  to  do  that  pro¬ 
tection  and  then  start  looking  at  what  supports 
those  sources,”  he  says. 

With  the  answers  to  these  questions,  you  can 
align  your  security  automation  to  the  business, 
which  is  a  far  cry  from  automating  everything, 
Unisys’  Pironti  says. 

Understand  user  roles 

As  another  example,  take  identity  management. 
The  capability  to  automate  access  management  to 
every  application  on  as  fine-grained  level  as  you  can 
imagine  exists,  as  long  as  you’re  not  adverse  to  writ¬ 
ing  custom  hooks  for  all  your  custom  applications 
and  any  other  applications  with  which  the  vendor 
product  might  not  integrate.  Yet  from  a  business 
standpoint,  automating  user  roles  and  provisioning 
resources  is  simply  not  feasible  at  too  fine-grained  a 
level,  says  Brad  Bauch,  a  partner  with  Pricewater- 
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-  ANDREW  BANMAN,  senior  system  engineer, 
Coast  Capital  Savings 


houseCoopers’ security  and  privacy  practices. 

However,  those  parts  of  identity  management  that 
can  be  easily  automated  already  are  moving  out  of 
security  and  into  everyday  operations  —  per 
Garigue’s  security-maturation  model. 

Bauch  points  to  self-help  password  resets,  which 
have  clearly  demonstrated  ROI  by  reducing  help 
desk  calls  by  up  to  70%  in  some  organizations.  And 
de-provisioning  already  is  fully  automated  in  his 
client  sites  and,  for  the  most  part,  has  become  a 
human  resources  function.  Furthermore,  users  can 
launch  new  account  requests. 

At  Nextel,  for  example,  employees  and  contractors 
can  request  their  own  user  IDs  via  a  Thor  Tech¬ 
nologies’  identity  management  system  that  sits  in 
front  of  the  company’s  FeopleSoft  HR  application.  A 
user  ID  request  sets  off  a  workflow  e-mail  for  provi¬ 
sioned  resources. 

But  Nextel  says  it  doesn’t  provision  fine-grained 
attributes  for  user  roles  and  the  resources  unique  to 
those  attributes  because  of  the  time  involved  in 
developing  such  a  system  across  hundreds  of  cus¬ 
tom  applications, says  Tom  Deffet,  director  of  IT  strat¬ 
egy  and  architecture  at  Nextel. 

“The  work  it  would  take  to  automate  provision¬ 
ing  of  every  combination  of  role  and  application 
boggles  my  mind,”  Deffet  explains. “So  we  plucked 
the  low-hanging  fruit  that  we  could  get  to  quickly. 
It’s  not  our  ambition  to  get  every  piece  of  fruit  off 
that  tree.” 

Nextel  set  up  four  gross  user  roles  —  employee, 
contractor,  business  partner,  customer  —  and  auto¬ 
matically  provisions  access  to  resources  common  to 
all  users  within  those  roles.  For  example,  resources 
allotted  to  the  employee  include  LAN,  email,  VPN 
and  Internet  access.  In  another  year  or  so,  Nextel 
says  it  hopes  to  develop  more  detailed  attributes, 
such  as  department  and  job  title. 

For  the  second  phase,  which  entails  business  part¬ 
ner  self-registration,  Nextel  had  to  wait  for  its  Web 
access  control  vendor,  Netegrity  to  adopt  the  Or¬ 
ganization  for  the  Advancement  of  Structured  In¬ 
formation  Standards’  Security  Assertion  Markup 
Language  (SAML).  Nextel  wanted  SAML  to  support 
delegated  administration,  he  says. 

That  phase  rolled  out  late  last  year.  Now  Deffet’s 
team  is  looking  into  ways  it  can  use  federated  iden¬ 
tity  standards  to  give  Nextel  employees  access  to 
applications  outsourced  to  its  business  partners. 

Such  is  the  pattern  with  all  security  automation, 
Garigue  says.  First  you  identify  the  risk,  then  develop 
standards  and  finally  you  automate  best  practices. 
This  pattern  will  repeat  itself  far  into  the  future,  par¬ 
ticularly  as  companies  deploy  new  data  center 
architectures  for  distributed  and  service-oriented 
computing,  he  adds. 

Radcliff  (www.deb.radcliff.com)  is  a  freelance 
writer  specializing  in  online  safety  and  network 
security. 


Security  automation  in  action 
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being  built 
with  vulnera¬ 
bilities”  that  could 
spread  rapidly  as  Web 
services  are  shared  across  networks,  says 

Fred  Schneider,  director  of  the  Information  Assurance  Institute  at  Cornell.“If 
you’re  building  off  of  something  else, you  might  not  understand  the  properties 
of  everything  you’re  working  with.  Security  is  not  something  you  can  evaluate 
by  looking  at  the  interface,”  he  adds. 

His  research  team,  in  cooperation  with  Intel  and  the  Office  of  Naval  Research, 
is  working  on  a  project  called  Language-Based  Security  The  aim  is  to  put  basic 
tenets  of  solid  security, such  as  in-line  reference  monitors,  information  flow  poli¬ 
cies,  proof-carrying  code  and  certifying  compilers,  into  emerging  technologies. 

Schneider  also  advocates  the  use  of  safe  systems  languages  that  work  much 
like  the  common  C  language. The  hope  is  that  bringing  these  practical  compo¬ 
nents  into  newer  applications  such  as  Web  services  will  shore  up  flaws  that 
extensible  systems  could  generate,  he  says. 


Four  experts  share 
the  latest  research- 
and-development 


news. 


■  BY  SANDRA  GITTLEN 

If  you  think  re-architecting  your 
IT  infrastructure  with  new  data 
center  technologies  will  help  protect 
your  company  over  the  next  decade  —  think 
again.  Experts  at  academic  and  vendor  research 
labs  around  the  country  agree  the  move  toward  an  auto¬ 
mated,  on-demand,  virtualized  computing  environment 
will  increase  the  complexity  of  security 

With  the  new  data  center,  IT  executives  “won’t  be  able  to  think  of  the  enter¬ 
prise  as  a  castle  with  a  drawbridge  and  one  point  of  entry  to  keep  the  bad  guys 
out.  They’ll  have  to  look  at  every  node  in  their  network,  every  computer  in  the 
network,  as  something  to  defend  individually  says  Dirk  Balfanz,  a  researcher  at 
the  Palo  Alto  Research  Center  (PARC)  in  California. 

PARC  is  just  one  of  many  organizations  focused  on  solving  security  problems 
that  lie  ahead.  Among  researchers’  goals  are  reining  in  complexity  improving 
identity  management  and  developing  platforms  to  protect  digital  assets. 

“Complexity  is  the  enemy  of  security  says  Ed  Skoudlis,  an  instructor  at  the 
SANS  Institute  in  New  York.  “The  constant  drive  for  new  innovation  and  new 
functionality  introduces  complexity  And  this  complexity  introduces  flaws.” 

Wireless  networks, Web  services  and  other  emerging  architectures  will  pose 
challenges  for  IT  managers,  Skoudlis  says.“They’ll  need  to  apply  security  at  dif¬ 
ferent  layers  in  the  network.  You  have  security  layers  for  the  older  technology 
and  then  you’ll  need  more  for  the  new  architectures,”  he  says. 

Researchers  at  PARC  concur,  and  so  they  have  been  researching  ways  to  pre¬ 
vent  users,  confronted  with  security  mechanisms  at  too  many  layers,  from  ignor¬ 
ing  or,  worse,  tampering  with  security  procedures.“If  a  security  procedure  is  too 
difficult,  users  won’t  deploy  it. They  may  configure  it  incorrectly  or  they’ll  just 
switch  it  off,”  Balfanz  says,  citing  a  PARC  study  that  found  enabling  laptops  with 
802.  IX  security  took  users  two  hours.  Rather  than  struggle,  users  stopped  using 
the  security  features  of  the  network  which  jeopardized  network  data,  he  says. 

PARC’s  Security  Research  Group  developed  an  architecture  that  eliminates 
these  frustrations  for  users  while  letting  IT  organizations  employ  tighter  security 
With  this  architecture,  users  connect  their  laptop  to  an  “enrollment  station”  via 
a  close-proximity  technology  such  as  infrared.  After  being  authenticated  by  the 
enrollment  station,  the  user  gains  network  access  and  then  receives  a  digital 
certificate  that  automatically  configures  network  policy  settings  on  the  laptop. 
The  whole  process  takes  less  than  2  minutes,  Balfanz  says. 

PARC  is  working  with  vendors  to  put  this  architecture  in  enterprise  products. 


; 


Language-based  security 

Programming  techniques,  including  those  used  in  creating  Web  services,  are 
the  focus  of  security  researchers  at  Cornell  University  in  Ithaca,  N.Y“Web  ser- 


Security  and  privacy 

Ken  Klingenstein,  director  at  the  Internet2  Middleware  and  Security  Initiative, 
says  he’s  not  optimistic  about  the  ability  for  complexity  to  be  reduced.  “Short- 

See  Labs,  page  SI  4 
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sighted  solutions,  deep  vulnerabilities  and  the  nature  of  how  complexity  com¬ 
pounds  over  time  means  we’re  in  for  difficult  times,”  he  says. 

But  improvements  are  possible  in  the  way  resources  are  shared  across  the 
Web,  while  user  privacy  is  protected,  Klingenstein  says.  “What  seemed  to  be 
orthogonal  goals  of  security  and  privacy  can  be  achieved  together”  he  says. 

The  Internet2  created  the  Shibboleth  Project  to  address  the  need  for  simple, 
secure  cross-organizational  data  access. The  Shibboleth  System,  which  com¬ 
prises  open  source  identity  provider  and  service  provider  components,  lets  net¬ 
work  users  access  resources  inside  and  outside  their  organizations  without  suf¬ 
fering  through  multiple  registration  processes.  They  do  not  need  to  offer  per¬ 
sonal  information  unnecessarily 

“The  goal  is  to  have  users  release  only  the  minimum  amount  of  information 
to  content  providers  to  determine  whether  they  are  eligible  for  that  content,” 
Klingenstein  says.This  will  help  reduce  identity  theft  and  fraud,  he  adds. 

Using  common  security  standards  such  as  the  Security  Assertion  Markup 
Language  from  the  Organization  for  the  Advancement  of  Structured  Inform¬ 
ation  Standards  (OASIS),  public-key  infrastructure  and  X.509,  the  Shibboleth 
System  requires  a  content  provider  to  employ  the  service  provider  software 
and  a  user  to  be  part  of  a  network  that  uses  the  identity  provider  software.  Say 
an  academic  goes  to  another  university’s  resource  site  that  is  running  the 
Shibboleth  service  provider  component.  He  will  be  required  to  select  among 
organizations  that  have  site  privileges.  Once  he  chooses  his  university,  the 
browser  automatically  will  send  him  to  his  university’s  sign-on  page,  which 
runs  the  identity  provider  software.  The  academic  then  logs  on,  as  he  nor¬ 
mally  would  with  the  familiar  name  and  password  and  when  he  is  authenti¬ 
cated,  he  is  sent  back  to  the  destination  resource  site  and  is  free  to  access 
information  there. 

Shibboleth  already  is  being  put  through  its  paces  within  the  enterprise. The 
Pennsylvania  State  University  has  tested  the  system  to  allow  students  secure  ac¬ 
cess  to  the  college’s  Napster  music  service.  Meanwhile,  the  grid  computing 
community  has  embraced  Shibboleth  as  a  key  security  technology 

On  the  flip  side,  content  providers  are  panicked  that  the  distributed  nature  of 
data  centers  —  with  detached  devices  and  on-the-fly  extended  enterprise  part¬ 
nerships  —  lessens  their  control  and  jeopardizes  the  security  and  integrity  of 
data.  In  an  era  of  compliance  and  regulatory  restrictions,  this  is  unacceptable. 

But  content  management  researchers  are  working  on  digital  rights  manage¬ 
ment  platforms  that  would  solve  this  problem  —  securing  data  even  if  it  is  out  of 
the  network’s  reach.  IT  organizations  “need  to  understand  where  and  how  data  is 
being  used,” says  Hari  Reddy  director  of  business  development  at  ContentGuard, 
founded  by  former  PARC  researchers.“How  can  you  manage  data  when  it  leaves 
your  security  framework?”  He  points  to  extended  enterprises  and  the  sharing  of 
data  as  one  complication.“I  may  want  to  stop  the  specific  usage  of  data  [we’ve 
exchanged]  at  some  point.” 

Companies  must  be  able  to  map  policies  to  data  and  have  those  policies  act 
as  authorization  tools,  he  says.  “People  not  only  want  to  manage  how  data  is 
consumed,  but  also  how  it  is  distributed,”  he  says. 

ContentGuard  continues  to  develop  extensible  Rights  Markup  Language 
(XrML),  a  de  facto  industry  standard  submitted  to  OASIS  and  other  standards 
groups  as  the  basis  for  any  digital  rights  language  specification.  XrML  extends 
the  range  of  rights-enabled  business  models  for  digital  content  and  Web  ser¬ 
vices.  It  lets  IT  managers  place  detailed  restrictions  on  content  that  is  distrib¬ 
uted  beyond  the  enterprise  walls  and  lets  them  manage  the  life  cycle  of  data 
and  Web  services. 

For  example,  a  company  might  place  a  control  to  distinguish  those  who  are 
allowed  to  use  the  data  or  Web  service  vs.  those  who  can  distribute  it.  “This 
allows  the  creator  of  the  data  to  say,  Alice  has  the  right  to  view  it,  but  Boston 
University  has  the  right  to  license  and  distribute  it,”’ Reddy  says. 

XrML  is  part  of  a  multitiered  distribution  architecture  that  must  feature  a  time 
element  to  limit  how  long  data  is  valid,  Reddy  says.  A  CFO  could  set  an  expira¬ 
tion  date  of  30  days  past  publication  when  distributing  financials  or  a  vendor 
sending  out  a  technical  manual  could  mark  the  material  as  invalid  after  six 
months.This  context  and  control  is  needed  as  data  gets  further  from  its  origin. 

He  says  the  content  store,  which  used  to  manage  data  inside  the  network, 
would  become  the  manager  for  data  no  matter  where  it  flows. 

Gittlen  is  a  freelance  technology  editor  in  Northboro,  Mass.  She  can  be  reached 
at  sgittlen@charter.net. 


Six  researchers  answer  the  question,  “What  are  the  most 
critical  security  issues  1  cing  IT?" 

"A  big  challenge  >r  IT  managers  will  be  cross- 
site  scripting  attacks.  Hackers  are  able  to  corrupt 
SQL  queries  in  Web  forms  and  preempt  what  an 
application  is  intended  to  do.  We  don’t  have  tools 
to  stop  that  an  it  requires  an  understanding  of 
what  the  interface  needs  to  do  to  block  the 
attack.” 

—  Fred  Schneider,  director  of  the  Information  Assurance  Institute 
at  Cor  ell  Universil  Ithaca,  N.Y. 


Radio  frequency  ID  tags  are  going  to  be  very 
easily  hacked.  T  at  has  serious  implications 
because  use  of  these  tags  is  being  proposed  in  a 
lot  f  applications  ....  RFID  technology  should  not 
be  moved  into  high-security  applications  without 
attention  to  authentication  protocols  and  epudi- 
ation  methods." 

—  Mich  Kabay,  associate  professor  for  information  assurance  at 
Norwich  University,  Northfield,  Vt.  (see  www.nwfusion.com. 
DocFinder:  6323) 

"The  trustworthiness  of  an  automated  system 
is  tied  to  the  integrity  and  quality  of  the  informa¬ 
tion  that  is  shared  between  s';  stems.  This  re¬ 
quires  new  trust  models  and  identity  constructs. 
In  some  instances,  messages  will  be  sent  by  enti¬ 
ties  that  are  unable  to  provide  strong  credentials 
in  the  form  of  digital  certificates.  Automated 
systems  will  need  to  be  able  to  infer  trust  based  on  other  types  of 
indicators.” 

—  Bob  Gleichauf,  CTO,  Cisco's  Security  Technology  Group 


“Spam  on  wireless  devices  is  going  to  be  a  signif¬ 
icant  challenge.  CIQs  are  paying  to  download  every 
megabyte  of  data  across  multiple  channels.  They 
don't  want  to  bear  that  cost. These  devices  are  just 
not  secure  enough  for  the  mass  market  yet." 

—  Dave  Steer,  director  of  segment  marketing, 
ARM 


"The  privacy  issue  is  going  to  be  more 
cated  because  Big  Brother  cai  '  ow  who  Is 
what,  where,  how  and  when.  Integration  of  bio¬ 
metrics  in  security  is  going  to  be  much  tighter. .  .  . 
A  d  there  a  ;  going  to  be  more  devices  to  secure 
and  more  systems  that  are  going  to  require  differ¬ 
ent  types  of  access  and  control.  I’d  like  to  think 
that  there’s  going  to  be  distributed  systems  where  you  can  write 
policies  to  provi  3  controls  to  these  devices." 

—  Sharon  Besse  ,  director  of  security  solutions,  Check  Point 

“The  problem  is  that  a  majc  ty  of  enter;  ise 
data  is  no  longer  on  servers  -  :'s  on  the  clients. 

The  bad  point  of  this  is  that  a  lot  of  security 
threats  emanate  from  cliei  s,  I’d  worry  ess 
about  the  m  n-in  the-middle  sniffing  and  more 
about  the  endpoints  and  people  walking  off  with 
laptops,” 

—  Charles  Palmer,  department  manager  for  security,  networking 
and  privacy,  IBM  Research 


Can  you  see  it? 


Middleware  is  Everywhere 


MIDDLEWARE  IS  IBM  SOFTWARE.  Identity  management 
software  that  uses  single  sign-on  technology  to  ensure  that 
the  right  access  is  given  to  the  right  people.  Open,  modular 
Tivoli  security  software  that  automates  processes  between 
employees,  partners,  customers  and  suppliers  -  while 
helping  to  reduce  costs.  It’s  how  everyone  involved 
gets  the  information  they  need.  On  time.  And  on  demand. 


1.  Buyer  downloads  competitive  pricing. 

2.  Manager  securely  retrieves  invoices. 

3.  Driver  obtains  specific  delivery  details. 

4.  Ex-vendor  denied  access  to  intranet. 

5.  Customer’s  identity  protected  from  theft 


Middleware  for  the  on  demand  world.  Learn  more  at  ibm.com/middleware/identity  DEMAND  BUSINESS 
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MIDDLEWARE  IS  IBM  SOFTWARE.  The  powerful  DB2 
Information  Management  Software  Family.  With  industry 
leading  DB2  and  Informix®  databases,  it’s  the  most  complete 
information  management  solution  available.  Built  on  open 
standards,  it  lets  you  access  content  from  various  sources. 
Integrate  information,  boost  productivity,  stay  compliant.  Plus 
gain  insight  to  make  better  business  decisions.  On  demand. 


1.  Takes  virtual  tour  of  vacation  spot. 

2.  Books  flight  with  partner  airline. 

3.  Dispatches  service  automatically. 

4.  Analyzes  schedule  data  dynamically. 

5.  Business  results  reach  new  heights 


DEMAND  BUSINESS 


Middleware  for  the  on  demand  world.  Learn  more  at  ibm.com/information 
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security  operations 
center  is  becoming  an 
enterprise  must-have. 


■  BY  JOANNE  CUMMINGS 

minis  Hal  pill’s  wake-up  call  was 
the  Slammer  worm.  I  Jntil  it  hit,  he1 
had  relied  solely  on  port  blocking 
to  protect  his  enterprise  network 
1  front  hacks  and  intrusions.  After 
he  saw  the  network  carnage  Slammer  wreaked 
around  the  globe.  1  lalpin  knew  he  had  to  revamp  his 
company's  approach  to  network  security 

"I  happened  to  be  with  Microsoft  at  the  time  at  an  \l> A  event 
in  Seattle,  and  somebody  scared  lire  about  what  could  happen 
to  a  port  blocking  based  network  hit  by  Slammer."  recalls 
Hatpin,  who  is  chid  technical  architect  at  iRcvoIntion.  a  man- 
aped  services  provider  in  London.  Although  iKevolut ion’s  net¬ 
work  was  spared  a  direct  lift  In  the  wornr.  Hatpin  knew  that 
had  just  been  luck.  "!  spent  three  hours  researching  the  impli¬ 
cations  of  the  worm,  and  my  hair  went  white.  We  were  as  open 
as  Swiss  cheese."  he  says. 

Although  devolution  had  the  basics  in  place  —  firewalls, 
anti-virus  software,  intrusion-detection  systems  (f|)S>  —  it 
had  no  way  to  combine  alerts  from  these  various  security 
tools  to  build  a  logical  picture  of  the  security  health  of  the 
network. 

T.verything  was  separately  maintained  and  managed, 
t  hey  didn't  speak  to  each  other  and  didn't  give  us  a  busi¬ 
ness  temperature  for  the  enterprise  as  a  whole."  Hatpin 
says.  “So  we  could  see  occasionally  that  we  were  being 
attacked  by  a  particular  type  of  virus  through  e-mail,  hut 
we  couldn't  really  determine  how  big  all  issue  that  was  in 
the  great  scheme  of  tilings." 

Hatpin  decided  then  and  there  to  do  a  complete  security 
overhaul.  His  goal  was  to  build  and  maintain  a  world-class 
security  operations  center  (SOC)  for  devolution  s  internal 
network,  as  well  as  to  help  support  Customers, 

■lust  as  network  operations  centers  (NOC)  continuously  monitor 
networks  to  mitigate  faults  and  ensure  optimal  performance.  S(K's 
continuously  monitor  and  manage  a  range  of  security  devices  and 
events  to  maintain  and  ensure  overall  network  security.  Kxperts 
say  S(  H's  are  becoming  more  common  among  Companies  for  a  vari¬ 
ety  of  reasons,  most  notably 

See  SOC,  page  S20 
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time.  And  how¬ 
ever  long  you  think  it 
will  take,  triple  that. 


-  EAMUS  HALPIN,  thief  technical  architect,  (Revolution 
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Poor  application  performance  is  a  problem 
with  which  many  IT  departments  are  all  too 
familiar.  An  August  2003  study  by  Network 
World  and  Packeteer  found  that  more 
than  60%  of  the  IT  respondents  had 
experienced  significant  application  per¬ 
formance  degradation  -  a  number  that 
climbed  to  nearly  85%  for  companies  with 
revenues  exceeding  $1  billion. 

This  problem  has  negative  effects 
throughout  a  business,  from  reduced 
employee  productivity  to  increased 
customer  dissatisfaction  and  loss  of 
business.  It  also  significantly  reduces  IT 
department  efficiency,  as  staff  members  are 
repeatedly  pulled  away  from  development 
projects  to  troubleshoot  performance 
issues. 

Why  monitor  application 
performance? 

Companies  have  many  reasons  for 
monitoring  application  performance. 

A  major  insurance  company  wanted  to 
proactively  track  compliance  with  service 
level  agreements  (SLAs).  The  company  also 
wanted  to  test  how  infrastructure  changes 
(such  as  consolidating 
servers)  would  affect 
end-user  response 
times,  as  well  as  reduc¬ 
ing  troubleshooting 
time  by  seeing  exactly 
what  was  happening  at 
the  time  a  problem 
occurred. 

A  large  financial  services  company  consid¬ 
ers  good  application  performance  to  be  an 
end  in  itself.  "Efficient  operation  of  our 
networked  applications  is  a  key  element  in 
attaining  our  corporate  vision,"  says  the 
company's  IT  manager.  "In  addition  to 
delivering  high  levels  of  performance  to  our 
large  user  base,  we  need  to  make 
sure  that  new  applications  won't  introduce 


performance  bottlenecks  before  rolling 
them  out." 

A  major  northeastern  commercial  bank 
values  good  application  performance 
because  it  maintains  end  users'  productivi¬ 
ty  -  so  when  problems  do  occur,  the  bank 
needs  to  troubleshoot  them  efficiently.  "We 
were  spending  a  minimum  of  20  hours  a 
month  -  sometimes  up  to  two  or  three 
weeks  -  trying  to  diagnose  the  cause  of 
application  slowdowns,"  says  a  network 
engineer.  "We  just  didn't  have  the  staff  to 
keep  doing  that."  A  particular  problem, 
he  notes,  was  trying  to  determine  if  a 
slowdown  was  a  network  issue  or  a  server 
issue.  "When  our  network  team  thought  it 
was  a  server  problem,  the  server  team 
would  often  claim  it  was  a  network  prob¬ 
lem,"  he  said.  "It  was  difficult  to  pinpoint 
the  exact  trouble  spot." 

Fluke  Networks  SuperAgent  to 
the  rescue 

All  three  of  these  companies  have  found 
that  Fluke  Networks'  SuperAgent 
Application  Performance  Analyzer  provides 
accurate,  detailed  insight  into  end-user 


response  times  throughout  the  enterprise. 
As  a  result,  IT  staff  can  quickly  determine 
whether  a  problem  is  network,  application, 
or  server  related  and  can  rapidly  resolve  the 
issue. 

For  example,  according  to  the  insurance 
company's  IT  manager,  "SuperAgent  helps 
us  better  serve  our  end  users  by  being 
proactive  with  application  performance 
issues  -  and  being  able  to  more 


effectively  baseline 
application  perform¬ 
ance  helps  us  ensure 
that  we  meet  our 
established  Service 
Level  Agreements  for 
transaction  times." 

When  problems  do 
arise,  he  notes  that 
SuperAgent  "can 
mean  the  difference 
between  a  one-hour 
slowdown  and  a  one- 
day  slowdown." 

The  financial  services  company  has  found 
that  SuperAgent  helps  with  everything  from 
service  level  management  to  resolving 
performance  issues  to  capacity  planning. 
The  solution  also  has  virtually  eliminated 
finger  pointing  and  wasted  cycles.  "Before, 
we  could  easily  spend  four  hours  trying  to 
determine  the  cause  of  the  problem,"  says 
the  director  of  network  operations.  "With 
SuperAgent  monitoring  the  network  core, 
we  can  identify  the  trouble  cause  in  about 
15  minutes."  As  a  result,  development 
teams  spend  their  time  creating  and 
deploying  needed  applications  rather  than 
being  bogged  down  resolving  problems. 

The  commercial  bank  finds  that 
SuperAgent's  performance  monitoring 
capabilities  make  the  IT  department  more 
proactive,  identifying  and  resolving 
problems  before  users  are  even  aware  of 
them.  The  tool's  enhanced  troubleshooting 
capabilities  save  them  at  least  20  hours  a 
month  -  plus  it  has  made  a  big  difference 
in  the  relationship  between  the  network 
and  server  teams,  replacing  finger  pointing 
with  cooperation.  "Now  the  server  team 
comes  to  us  when  they  have  a  problem  and 
asks  us  to  monitor  their  servers,"  says  a 
network  engineer.  "We  also  get  requests  for 
troubleshooting  help  from  other  business 
groups  in  the  main  office.  They  all  think 


SuperAgent  is  fantastic  -  they  are  over¬ 
whelmingly  impressed  with  its  reports." 
He  also  describes  a  case  where  slow  per¬ 
formance  of  a  vendor-hosted  application 
was  causing  a  department  to  falL  behind  in 
its  work.  SuperAgent  identified  the  vendor's 
server  as  the  source  of  the  problem,  and  the 
vendor  -  who  hadn't  previously  been  aware 
of  the  difficulty  -  was  able  to  quickly  fix  it. 

The  bank  is  so  impressed  with  SuperAgent 
that  it  soon  will  be  performing  full  server 
monitoring,  with  reports  on  server  avail¬ 
ability  and  alerts  when  utilization  levels 
exceed  a  fixed  percentage.  It  will  also  use 
SuperAgent's  results  to  set  up  SLAs  with 
its  branch  offices,  so  it  can  demonstrate 
compliance  with  agreed-upon  availability 
and  uptime  figures.  "We  just  couldn't  do 
any  of  this  without  SuperAgent,"  concludes 
the  bank's  network  engineer. 

For  more  information  about  application 
performance  management  solutions 
visit  www.flukenetworks.  com/ A  PM 
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"When  our  network  team  thought  it  was  a 
server  problem,  the  server  team  would  often 
claim  it  was  a  network  problem.  It  was 
difficult  to  pinpoint  the  exact  trouble  spot." 

-  Network  engineer  from  a  major  commercial  bank 


Solving  Application  Performance  Problems 

A  Proactive  Approach 
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discipline  based  on  point  solutions  to  something  far  more  pervasive  and  crit¬ 
ical  to  overall  network  health. 

“It  used  to  make  sense  to  have  security  specialists  managing  the  various  fire¬ 
walls,  IDS  and  so  on  because  security  was  at  a  very  specific  location 
on  your  network  and  had  a  very  specific  function” explains  Andreas 
Antonopoulos,  senior  vice  president  and  founding  partner  at 
Nemertes  Research.“But  security  no  longer  works  that  way  The  perime¬ 
ter  is  porous,  and  instead,  security  needs  to  be  applied  at  the  applica¬ 
tion  level, at  the  network  level  and  at  the  storage  level.  It’s  become  a  fea¬ 
ture  of  your  end-to-end  application  delivery  much  like  net¬ 
work  performance.” 

Regulatory  pressure  brought  on  by  the  Sarbanes- 
Oxley  Act  (SOX),  the  Health  Insurance  Portability  and 
Accountability  Act  and  the  Gramm-Leach-Bliley  Act 
also  drives  enterprise  SOC  development. 

“SOX  is  a  good  example  of  a  proactive  driver  for  SOCs,” 
says  Diana  Kelley,  executive  security  adviser  at  Computer 
Associates’  eTrust  division.  “You’ve  got  to  be  ready  for  404,”  she 
says,  referring  to  the  section  of  SOX  that  explains  that  executive  man¬ 
agement  needs  to  take  responsibility  for  establishing  and  maintaining  an 
adequate  internal  control  structure.  “That  means  you  need  the  correct 
and  effective  controls  on  your  business  reporting.  And  once  you  have 
them,  you  need  to  monitor  and  maintain  them,  and  a  SOC  is  an  effective 
way  to  do  that.” 

According  to  preliminary  research  by  Nemertes,  the  average  U.S.  organiza¬ 
tion  plans  this  year  to  up  its  security  budget  100%,  from  2.4%  of  the  IT  budget 
to  4.8%  —  an  increase  Antonopoulos  attributes  almost  entirely  to  regulatory 
compliance.  “I  can  tell  you  that  all  those  companies  that  are  doubling  their 
budget  to  do  regulatory  compliance  are  looking  at  either  building  a  SOC  or 


Five  SOC  pitfalls 
to  avoid 

1.  Technology  tunnel  vision.  Getting  caught  up  in  the  latest 

and  greatest  tools  is  tempting,  but  the  core  of  your  security 
operations  center  (SOC)  should  be  based  on  sound  risk 
assessment  and  security  policies.  C  nee  you've  hammered 


re-engineering  a  SOC  to  comply  with  the  regu¬ 
lations,”  he  says. 

The  trend  to  pull  back  security  monitor¬ 
ing  duties  previously  outsourced  to  man¬ 
aged  security  services  providers  (MSSP), 
especially  in  the  financial  services  sector,  adds  fuel  to  the  fire.  An  internal 
SOC  allows  better  control  and  visibility  into  the  enterprise  network,  and 
reduced  costs  overall,  says  Jim  Tiller,  chief  security  officer  and  vice  presi¬ 
dent  of  security  services  at  International  Network  Services,  a  network  con¬ 
sulting  firm. 

“MSSPs  are  having  difficulty  responding  in  some  cases,” Tiller  says. “With  the 
regular  occurrence  of  worms  and  denial-of-service  attacks,  especially  in  the 
financial  industry  and  the  increase  in  our  vulnerability  and  the  sophistication  of 
those  threats,  the  ability  to  respond  is  strictly  related  to  how  much  visibility  you 
have  in  your  network.  By  pulling  the  management  in,  you  have  more  visibility 
and  can  facilitate  the  ability  to  respond.” 

Plus, “for  large  companies,  the  investment  in  managed  security  services  is 
fairly  significant  and  they’re  seeing  long-term  cost/benefit  with  regard  to 
pulling  that  in-house  and  managing  it  themselves,”  he  says. 


those  out,  you  can  focus  c  the  products  and  technologies 
that  will  best  upport  them. 

2.  Silo  me  talk/,  Don’t  org:'  lize  your  SOC  in  a  silo  sepa¬ 
rate  from  your  network  c  ons.  An  efficient  OC 
depends  on  fully  integrating  security  and  network  monitoring 
tools,  as  well  as  the  staffing  associated  with  them. 

3.  Staffing  mistakes,  d  on't  use  your  veteran  security 
staff  to  do  low-level  monitoring,  and  make  sure  you  have  the 
proper  checks  and  balances  in  place  so  that  no  one  person 
holds  all  the  keys  to  your  network  kingdom. 

4.  Inflexible  tool  sets.  Choose  )ols  that  will  support  r  t 
only  your  current  security  evices,  ticketing  systems  and 
network  monitoring  suites,  but  also  those  that  are  easy  to 
customize  and  offer  a  variety  of  templates  and  wizards.  Be 
aware  that  even  the  best  tool  sets  require  a  good  deal  of  cus¬ 
tomization  and  integration. 

5.  Taking  the  cheap  route.  A  SOC  is  no  place  to  skimp. 
On  average,  large  organizations  should  plan  to  invest  $1  mil¬ 
lion  or  more  to  implement  and  maintain  a  truly  enterprise-level 
SOC.  And  that  investment  will  most  likely  grow  overtime. 

—  Joanne  Cummings 


The  hurdles 

Although  recognizing  the  need  for  a  SOC  is  fairly  easy  building  one  is  not  so 
straightforward.This  is  especially  true  when  the  security  and  network  operations 
groups  have  grown  up  independently  Security  monitoring  might  be  robust,  but 
if  it  is  separate  from  network  operations  monitoring  that  can  be  a  recipe  for  dis¬ 
aster,  experts  say 

“Security  events  don’t  always  appear  as  security  events,”  Antonopoulos  says. 
For  example,  if  a  router  stops  responding  and  that’s  all  the  information  you  have, 
it’s  difficult  to  tell  if  it’s  a  network  problem,  a  systems  problem  or  a  security  prob¬ 
lem.  If  your  network  operations  group  is  completely  separate  from  your  security 
operations  group,  one  of  two  things  will  happen:  “Either  both  groups  will  chase 
the  problem  separately  or  worse,  neither  will  chase  it,  concluding  that  it’s  the 
other  group’s  problem,”  he  says. 

This  confusion  is  exacerbated  when  it  comes  time  for  remediation.  “If 
both  organizations  are  implementing  things  on  the  network  and  monitor¬ 
ing  it,  you  may  come  to  the  point  where  the  network  people  are  changing 
[access  control  lists] ,  reducing  your  security,  or  your  security  people  are 
applying  ACLs  that  are  impacting  network  performance,”  he  says.  “Since 
you’re  not  integrating  this  and  looking  at  it  from  an  end-to-end  perspective, 
you  end  up  with  problems.” 

A  true  SOC  integrates  security  and  network  event  information  so  the 
security  and  operations  staffs  have  an  overall  view  of  the  event  and  the 
effect  it’s  having  on  the  network,  and  can  make  informed  decisions  about 
how  best  to  react  according  to  predefined  security  policies.  But  that’s  eas¬ 
ier  said  than  done. 


See  SOC,  page  S22 


YOUR  COMPANY’S  FIREWALL 


Introducing  DuPont™  certified  limited  combustible  cable.  In  the  event  of  a  fire,  securing  your 
business’  uptime  is  crucial.  The  data  communications  cable  you  choose  could  play  a  key  role  in  protecting 
your  network  technology  investment.  DuPont™  certified  cable  produces  20  times  less  smoke  than  other 
plenum  rated  cables.  And  less  smoke  means  less  costly  downtime,  making  it  the  most  advanced  fire 
safety  cable  technology  available  today.  To  learn  more  about  DuPontrM  certified  limited  combustible  cable 
or  to  request  a  free  CD,  log  on  to  teflon.com/cablingmaterials  or  call  1-800-207-0756. 
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Where  to  start 

Many  organizations  first  look  to  purchase  a  security  event  management  sys¬ 
tem  or  alert  correlation  engine.  But  experts  say  that’s  a  tactical  mistake.  An  over¬ 
all  risk  assessment,  for  determining  the  actual  business  importance  of  each  net¬ 
work  asset,  must  come  first  in  the  SOC  project. 

“You  have  to  apply  your  resources  to  protect  the  things  that  are  most  impor¬ 
tant  to  you,”  says  John  Summers,  global  director  of  managed  security  services 
at  Unisys.  “Some  IT  execs  have  a  very  good  handle  on  their  infrastructures. 

I  They  know  what  assets  are  out  there  and  what’s  running  at  each  IP  address, 

but  very  few  can  tag  a  business  priority  to  their  infrastructure  elements.” 

Knowing  the  business  importance  is  key  because  the  purpose  of  a  SOC  is 
to  enable  not  only  security  event  monitoring  but  also  confident  responses  to 
those  events.“So  if  this  server  went  down,  what  would  it  mean  to  the  business, 

I  and  is  this  server  more  important  than  this  other  one?  Once  you  know  that, 

the  technology  part  tends  to  fall  into  place,”  says  Summers,  who  manages 
Unisys’  three  major  SOCs. 

Technology  caveats 

Choosing  a  technology  platform  comes  next.  The  goal  is  to  find  a  security 
event  management  platform  that  can  work  with  the  variety  of  security  devices 
you  have  in  place,  correlate  their  various  alerts,  and  provide  some  form  of  inte¬ 
gration  with  whatever  you  are  using  for  trouble  ticketing  and  network  opera¬ 
tions  management.  Organizations  need  this  depth  of  visibility  into  the  network 
to  ferret  out  security  breaches,  experts  say 
“A  big  financial  services  company  we  work  with  was  seeing  some  poking  at 
different  areas  of  its  network  around  the  globe,”  CAs  Kelley  says.  “Each  of  the 
pokes  didn’t  look  particularly  bad  individually  but  they  were  all  coming  from 
the  same  IP  address  over  a  period  of  a  couple  of  days.  None  of  it  was  enough  to 
trigger  an  alert  on  its  own,  but  once  the  company  pulled  that  information  into  a 
centralized  console  [within  its  SOC]  and  saw  what  this  one  IP  address  was 
doing  to  its  network  around  the  globe,  things  started  to  add  up.” 

However,  getting  to  the  point  where  you  can  have  such  a  global  view  within 
your  SOC  is  time-consuming  and  expensive. 

In  addition  to  integrated  security  event  managers  from  start-ups  such  as 
ArcSight,  Intellitactics  and  netForensics,  most  of  the  large  network  management 
companies  —  CA,  HP  and  IBM  —  offer  a  security  event  monitoring  capability 
integrated  within  their  platforms.  But  they  all  come  at  a  pretty  hefty  cost. 

“In  the  security  space,  IDSs  generally  don’t  speak  the  same  language  to  your 
management  system  that  your  firewall  does,”  Nemertes’  Antonopoulos  says.  “If 
you  want  to  add  a  rule  into  your  firewall  to  block  something,  you  can’t  use  the 
same  language  you  would  use  to  add  a  rule  in  a  router.  As  a  result, security  event 
monitors  require  a  large  integration  project  to  pull  all  that  information,  turn  it 
into  a  common  format  and  correlate  it  across  all  those  domains.” 

The  vendors  pass  on  the  cost  of  that  large  integration  project  to  their  cus¬ 
tomers.  The  hardware  and  software  for  these  packages  alone  costs  on  average 
$1.5  million  to  $3  million,  Antonopoulos  says.“Add  to  that  three  shifts  of  people 
and  the  integration  into  a  ticketing  system,  and  it  gets  very  expensive,”  he  says. 

IRevolution’s  Halpin  says  his  SOC  project, which  is  based  on  CAs  Unicenter  for 
network  management  integrated  with  CAs  eTrust  for  security  monitoring  and 
||  event  correlation,  costs  approximately  $1  million  and  took  18  months  to  imple- 

ment.The  SOC  has  been  up  and  running  for  about  six  months,  and  Halpin  says 
he’s  just  now  feeling  like  he’s  getting  worthwhile  and  actionable  information 
from  it. 

He  negotiated  a“fair” contract  with  CA,“but  the  majority  of  my  costs  are  in  peo¬ 
ple  time,”  he  says.That’s  because  picking  the  tool  is  one  thing  but  getting  it  tuned 
to  your  particular  environment  takes  time  and  troubleshooting. 

“Anybody  who’s  up  for  this  and  wants  to  see  a  pretty  center  with  blinking  lights 
can  get  that  in  10  minutes,”  Halpin  says.“But  building  a  real  SOC  takes  time.  And 
however  long  you  think  it  will  take,  triple  that, and  then  be  prepared  to  maintain 
it.This  isn’t  easy  and  it’s  never-ending.” 

He  says  one  key  to  easing  the  process  is  to  make  sure  the  tool  you  choose  is 
flexible.  That  means  making  sure  that  not  only  will  it  support  the  various  fire¬ 
walls,  IDSs  and  network  management  platforms  you  have  in  place,  but  also  is 
easy  to  customize  and  tune. 

“It  has  to  be  easy  to  write  rules,”  he  says.“If  you  can  write  those  rules  quickly 


Don’t  give  staffing  issues  short  shrift  as  you  plan  your 
enterprise  urity  operations  center,  pionet  s  advise. 

|  faffing  a  security  operations  center  can  be  almost  as 
challenging  as  building  it  or  paying  for  it,  users  and 
experts  say. 

The  24/7  monitoring  necessary  in  a  SOC  presents  one  of 
the  biggest  hurdles.  "For  companies  used  to  having  securi¬ 
ty  personnel  working  eight  hours  a  day,  five  days  a  week, 
that  dramatically  increases  their  overall  staffing  require¬ 
ments,  since  one  24-by-7  seat  is  equal  to  roughly  five  full¬ 
time  employees,”  says  John  Summers,  global  director  of 
naged  security  services  at  Unisys. 

Faced  with  such  a  prospect,  many  organizations  look  to 
out  corners. 

For  example,  some  make  the  mistake  of  staffing  their  SOC 
solely  with  their  best  security  personnel.  ‘‘Companies  take 
seasoned  security  professionals,  stick  them  in  front  of  a 
screen  and  ask  them  to  do  a  six-hour  monitoring  shift," 
says  Andreas  Antonopoulos,  senior  vice  president  and 
founding  partner  at  Nemertes  Research.  “You  won't  retain 
those  people  too  long  because  they  will  very  quickly 
become  bored,” 

Beyond  boring  and  overworking  a  valued  staffer,  this  tac¬ 
tic  also  could  create  a  huge  security  vulnerability. 

“If  one  person  is  writing  your  security  policy,  implement¬ 
ing  your  policy,  monitoring  it  and  then  checking  for  compli¬ 
ance,  that  person  is  basically  one  huge  risk,"  Antonopoulos 
says,  “There’s  no  separation  of  duties,  and  absolutely  no 
ch<  ks  and  balances.” 

Instead,  a  good  SOC,  like  a  good,  traditional  network 
operations  center,  should  be  staffed  in  tiers,  with  Tier  1 
personnel  receiving  alerts  and  doing  low-level  trou¬ 
bleshooting  and  Tier  2  and  3  people  handling  more  complex 
alerts  and  problems.  In  the  best  of  all  worlds, Tier  1  person¬ 
nel  should  provide  the  first  line  of  response  for  both  the 
security  and  network  operations  sides  of  the  house. 

That  way,  your  more  veteran  security  professionals  can 
handle  the  more  complex  risk-management  and  policy-writ¬ 
ing  tasks,  while  putting  lower-level  staffers  into  the  SOC 
for  the  primary  monitoring. Then,  when  alerts  come  up  and 
the  Tier  1  staffers  t  a  unsure  iqw  to  proceed,  they  can  kick 
u  the  problem  to  aTier  2-  or  3-level  person.  Only  then 
does  your  more  expert,  and  expensive,  staff  get  involved, 

—  Joanne  Cummings 


and  you  have  templates  and  good  wizards  for  it,  then  that’s  going  to  make  the 
whole  process  much  easier? 

But  perhaps  the  biggest  caveat  for  building  a  SOC  is  to  realize  that  your  initial 
million-doilar  investment  is  just  the  beginning.  Because  technology  is  changing 
all  the  time,  so  will  your  security  needs  and  strategies. 

‘Although  I  feel  like  our  security  and  our  SOC  are  very  scalable  now,  I’m  expect¬ 
ing  that  within  three  or  four  years’  time,  we’ll  have  to  throw  the  whole  thing  out 
and  do  something  different  because  security  will  have  moved  on,”  Halpin  says. 
“With  the  amount  of  processing  power  that  is  about  to  become  available  through 
dual-core  and  all  of  the  other  technologies, you  can’t  stand  still.Those  things  will 
have  a  significant  effect  on  the  technology  and  security  marketplace,  and  we 
know  here  that  security  will  always  be  an  ongoing  expenditure.” 

Cummings  is  a  freelance  writer  in  North  Andover,  Mass.  She  can  be 
reached  at  jocummings@comcast.net. 


Worrying  about  viruses  and  unwanted  content  can  hold  you  back.  That’s  why  thousands  of 
companies  across  the  globe  -  from  Fortune  100  organizations  to  small  businesses  -  rely  on 
Sybari  to  secure  their  information  workplaces,  including  e-mail,  instant  messaging,  and 
document  sharing. 


Our  unique  solutions  use  multiple  virus  scanning  engines  and  industry-leading  antispam  and 
content-filtering  technologies  to  stop  threats  before  they  stop  your  business.  Make  the  move 
to  Sybari...  and  experience  the  freedom  of  security  and  productivity. 


George  is  secure  in  his  information  workplace 
^  (and  he’s  not  afraid  to  show  it.) 
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Sybari 


SECURING  THE  INFORMATION  WORKPLAN 


To  learn  more, 

visit  www.sybari.com/nw05 


Visa  takes  Web  services  outside  the  enterprise 
to  streamline  the  charge-dispute  process. 


■  BY  BETH  SCHULTZ 

With  a  corporate  ad  slogan  extolling  “It’s  everywhere  you 
want  to  be”  and  a  payments  network  that  indeed  serves 
nearly  every  country  in  the  world,  you  can  bet  Visa  U.S.A.IT 
executives  feel  the  onus  of  availability  and  reliability. 

Hiccups  simply  can’t  be  tolerated  when  14,000  financial  institutions  count  on 
your  payment-processing  system  for  more  than  $1  trillion  in  annual  transaction 
volume. That’s  5,546  payment-transaction  messages  per  second,  or  100  million 
transactions  a  day  on  average.  (During  the  most  recent  December  shopping 
frenzyVisa’s  message  gateway  handled  9,200  transaction  messages  per  second.) 

Placing  that  volume  in  context  can  be  difficult, says  Sara  Garrison, senior  vice 
president  of  network  and  open  systems  development  at  Visa,  in  Foster  City  Calif. 
But  think  about  this, she  says:“If  you  take  all  the  transactions  across  all  the  stock 
markets  and  exchanges  in  the  world,  and  you  aggregated  them  over  a  24-hour 
period,  we  do  that  volume  over  a  coffee  break.” 

Needless  to  sayVisa  doesn’t  make  infrastructure  decisions  lightly  But  the  com¬ 
pany  does  push  boundaries  and  rapidly  adopts  technologies  that  could  benefit 
Visa  member  banks,  the  merchants  they  serve  and,  ultimately  consumers  hold¬ 
ing  the  458  million  Visa-branded  cards  in  the  U.S.This  doesn’t  mean  the  com¬ 


pany  embraces  technologies  on  the  high-risk  bleeding  edge,  Garrison  says.  But 
it  usually  finds  itself  on  the  leading  edge  —  which  makes  it  well  worth  watch¬ 
ing  as  it  ventures  into  use  of  new  data  center  technologies. 

Take  Visa’s  evolution  toward  a  services-oriented  architecture  (SOA)  and  use  of 
Web  services.  Like  many  companies.  Visa  has  long  recognized  the  inherent 
value  of  services-centric  application  development.  But  Visa  leapt  ahead  of  most 
companies  by  extending  Web  services  to  business  partners. 

As  of  late  last  year, Visa  uses  Web  services  to  allow  direct  communication  be¬ 
tween  its  back-end  systems  and  those  at  member  banks  involved  in  the  charge- 
dispute  process.  Visa  already  used  Web  services  internally  for  this  industrial- 
strength  dispute  management  system,  called  Resolve  OnLine.A  mammoth  un¬ 
dertaking  that  involved  150  developers  working  concurrently  for  nine  months 
to  meet  the  first  release  date,  this  industry-reference  Web  application  for  devel¬ 
opment  projects  is  now  in  its  fifth-generation  release.  Created  by  Visa  develop¬ 
ers  using  Java  2  Platform  Enterprise  Edition  (J2EE), Mercury  and  Rational  tools, 
in  conjunction  with  IBM's  WebSphere  Integrated  Application  Suite,  Resolve 
Online  automates  the  dialog  across  back-end  systems  so  disputes  could  be 
quickly  resolved,  Garrison  says.  Extending  Web  services  to  member  banks  en¬ 
abled  Visa  to  streamline  the  process  further. 

Prior  to  Resolve  Online,  which  went  into  production  in  June  2002,  cardholder 
disputes  had  to  be  processed  on  paper.  Visa  couldn’t  easily  automate  the  pro¬ 
cess  because  of  the  differing  back-end  systems  and  legacy  specialized-func¬ 
tionality  tools  in  use  throughout  the  industry  By  using  Web  services,  Visa  and 
member  banks  have  eliminated  many  of  the  remaining  manual  processes  in¬ 
volved  in  dispute  management.  For  example,  back-end  systems  at  Visa  and 
member  banks  now  can  communicate  directly  regarding  requests  for  transac¬ 
tion  research,  dispute  case  search  and  retrieval,  and  requests  for  copies  of  orig¬ 
inal  paper  receipts.  Visa  secures  the  inter-enterprise  Web  services  transactions 
via  Secure  FTP  sessions  over  SSL. 

Since  implementing  Resolve  Online,  not  only  has  dispute  transaction  length 
been  reduced  but  also  the  number  of  disputes  has  diminished.“The  inquiry 
capabilities  have  lessened  the  number  of  issues  that  come  to  dispute,  and  we 
have  seen  resolution  time  cut  roughly  by  one-third,”  Garrison  says. 

In  2004,  Resolve  OnLine  saved  issuers  $52  million  in  operating  costs,  while 
member  savings  from  the  reduction  in  volume  of  exception  items  exceeded 
$300  million  during  the  year,  she  says. 

This  Web  application  is  a  natural  extension  of  Visa’s  open  systems  goal  of  en¬ 
suring  that  code  can  be  “componentized,  encapsulated,  compartmentalized, 
replaced  and  reused”easily  Garrison  says. 

Visa  readied  itself  for  a  Web  services  SOA  by  building  applications  out  of  self- 
contained  piece  parts,  and  using  J2EE  to  ensure  independence  from  back-end 
hardware  and  operating  systems.  Following  best-practices  guidelines  to  ensure 
scalability  robustness,  security  and  extensibility  also  has  helped.  For  example, 
Visa  has  embraced  the  Open  Management  Groups  Unified  Modeling  Language 
and  IBM’s  Rational  Unified  Process  for  configurable  software  development  and 
automated  testing  of  code. 

“We’re  seeing  viable  reuse,  leading  to  rapid  product  deliver^’ Garrison  says,  cit¬ 
ing  development  of  an  Internet  file  gateway  service  in  three  months  as  one 
example.  Almost  half  —  47%  —  of  components  used  for  that  service  came  from 
the  Resolve  OnLine  code  base. 

Visa  now  uses  Web  services  in  its  new  application  development  projects. 
Already,  about  10%  of  Visa’s  internal  applications  have  Web  services  compo¬ 
nents,  Garrison  says,  and  continued  extension  outward  is  an  absolute  must.B 
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■  EHU  BE 

COMPUTING 


We  triple-dog-dare  you. 

Trojans,  worms,  viruses,  and  application  attacks  don't  scare  the 
all-in-one  Sidewinder  G2*  Security  Appliance.  It  scares  them! 

It  detects  and  stops  them.  It  protects  thousands  of  networks  all 
over  the  world  and  it  can  protect  yours.  It  includes  the  world's 
strongest  application-layer  firewall  that  has  never  been  compro¬ 
mised.  You  can  even  add  optional  anti-virus,  anti-spam,  e-mail 
and  Web  content  filtering,  SSL  VPN,  and  more. 

For  a  free  evaluation,  call  1  800  379-4944. 

New  Security  Assessment  Report  Available!  Read  Black  Hat  Consulting's 
Security  Assessment  Report  on  the  Sidewinder  G2  Security  Appliance.  This 
report  details  how  this  appliance  handles  real-world  attack  methodologies, 
ranging  from  layer  two  to  layer  seven  attack  methods  as  referenced  against 
the  OSI  model.  Visit  www.securecomputing.com/goto/blackhat 


SIDEWINDER 

SECURITY  APPLIANCE 


Firewall/Security  Appliance 
Sidewinder  G2*  Security  Appliance 
Sidewinder  G2*  Enterprise  Manager 

Strong  Authentication 
SafeWord*  RemoteAccess” 

SafeWord®  RemoteAccess,"'  Cisco  comp'-rC  - 
SafeWord®  PremierAccess* 

SafeWord®  for  Check  Point 
SafeWord*  for  Citrix®  MetaFrame® 

SafeWord*  for  Nortel  Networks 


Four  IT  executives  discuss  their  favorite 
new  data  center  technologies. 


■  BY  JULIE  BORT 


In  the  first  of  an  ongoing  user  discussion  series,  four  IT  executives  shared  their  thoughts  on 
hot  new  data  center  technologies.  They  all  agree  that  the  flexible  new  infrastructures  they're 
building  have  a  major  upfront  benefit  —  lower  total  cost  of  ownership  —  and  each  suggests 
a  favorite  young  technology  A  snippet  of  the  conversation  appears  here;  the  full  version 
is  available  online  at  www.nwfusion.com,  DocFinder:  5925. 


Tony  Adams 

IT  analyst 

J.R.  Simplot,  an  agribusiness  firm  in  Boise, 
Idaho 

Virtualization  of  servers  and  storage 
are  our  two  most  significant  infrastruc¬ 
ture  initiatives.  Both  have  been  under¬ 
way  for  more  than  a  year  and  have 
proven  successful  enough  to  warrant  more  aggres¬ 
sive  adoption.  We  have  to  reduce  our  accumulated 
server  sprawl  and  prevent  [more]  sprawl.  We  have 
to  be  more  flexible,  and  virtualization  is  the  ulti¬ 
mate  protection  against  initial  sizing  errors  or 
unplanned  growth.  Our  Intel  server  virtualization  strategy  is  100% 
VMware  ESX  with  a  storage-area  network  (SAN)  .These  two  tech¬ 
nologies  complement  each  other  so  well  that  we  consider  their 
adoption  to  be  co-requisites.  We  also  must  have  a  seamless  disaster-recovery 
capability  ESX  with  a  SAN-to-SAN  remote  mirror  is  a  great  disaster-recovery 
strategy  for  us. 

Carmine  lannace 

Manager,  IT  architecture 
Welch’s,  a  grape-juice  manu¬ 
facturer  in  Concord,  Mass. 

At  Welch’s,  the  extended 
enterprise  already  is  incor¬ 
porated  into  our  business 
model  and,  to  a  degree,  in 
our  IT  systems.  We  currently 
use  a  combination  of  Plumtree 
Enterprise  Portal,  Oracle  and  a  num¬ 
ber  of  business  intelligence  tools 
[such  as  Noetix]  to  collaborate  with 
our  partners  and  produce  unique,  up-to- 
the-minute  views  of  sales  and  marketing  data.  In  the  next  18  months,  we  plan  to 
allow  our  strategic  partners  not  only  to  view  but  also  to  participate  actively  in 
live  business  transactions  in  an  interactive  manner. 

Grid  computing  is  an  interesting  concept  and  might  hold  great  promise  in  the 
near  future.  Grid  infrastructure  is  possibly  the  next  logical  step  in  what  I  believe 
is  the  overall  commoditization  of  the  corporate  data  center.  Companies  that  do 
not  embrace  commodity  servers,  virtualization  and  grid  computing  and  related 
technologies  will  not  be  able  to  effectively  compete  because  of  high  opera¬ 
tional  costs  and  poor  flexibility 

Wireless  technologies  such  as  RFID  will  increase  the  speed  and  effective¬ 
ness  of  order  and  inventory  tracking  in  manufacturing  facilities  and  ware¬ 
houses.  We  will  see  a  great  increase  in  the  use  of  short-range  wireless  tech¬ 
nologies  akin  to  Bluetooth  and  ultra  wideband.  Forget  about  the  ‘last  mile’ 
—  it’s  the  final  10  or  20  feet. 


Head  of  collaboration  services 
information  technology 
Serono,  a  biotechnology  company  in 
Geneva 

Anything  that  can  be  done  to  simplify  the 
architecture,  while  making  it  more  scalable 
and  robust  with  fewer  machines,  network  ports, 
back-up  devices,  CPUs  and  [operating  system] 
licenses,  adds  up  to  a  lower  overall  TCO.  Auto¬ 
mated  systems  that  will  self-heal  would  be 
Utopia  [and  similar  to  what  we’ve  enjoyed  on  the  IBM  pSeries 
and  iSeries  platforms  with  a  processor  failure  detection,  for 
example,  and  continuity  of  service  when  this  occurs] . 

Application  front-end  processors  [AFP]  greatly  enhance  the  use 
of  existing  resources.  [With  an  AFP  you  can]  offload  server  I/O,  [perform]  data 
compression,  multiplex  client  session  requests,  and  [optimize]  Web  applica¬ 
tions.  We’ve  seen  our  server  requirement  decrease  with  AFPs  and  the  WAN  and 
VPN  bandwidth  requirements  drop  dramatically  [in  some  cases,  to  as  much  as 
a  one-ninth  of  the  traffic] .  Network-attached  processing,  or  compute  pools  for 
portals  and  application  servers,  is  a  very  interesting  emerging  technology  for 
performance  management,  and  worth  watching. 

Matthew  Dattilo 

Vice  president  and  CIO  a 

PerkinElmer,  a  scientific  instrument 
maker  in  Wellesley,  Mass. 

We’ve  talked  a  lot  about  tech¬ 
nology,  so  I’m  going  to  leave  that 
alone  and  focus  on  planning  for  change. 

When  we  think  of  designing  a  flexible, 
efficient  and  cost-effective  infra¬ 
structure,  we  really  need  to 
think  in  terms  of  opportunities 
to  enact  change  and  to  imple¬ 
ment  strategy.  If  you  don’t  do  a 
good  job  aligning  things  like 
leases  and  service  contracts,  you  can 
find  yourself  unable  to  take  advantage 
of  developments  in  technology  or 
price/performance. 

An  example  would  be  a  data  center  hosting  con¬ 
tract  that  ran  out  in  2003,  but  all  of  the  leases  were  in 
effect  through  2004,  and  upgrades  to  equipment  ex¬ 
tended  beyond  the  base  equipment’s  lease  term.  In  this 
scenario,  you  either  lose  flexibility  or  pay  a  premium  to  implement  change. You 
might  have  accepted  the  lowest  cost  alternative  for  each  transaction,  but  the 
total  cost  picture  has  [not]  been  optimized. 


Scott  hates  us. 


And  our  customers  couldn’t  be  happier.  Scott’s  a  hacker  and  it’s  our  job  to  make 
his  job  impossible.  We’re  Sophos,  a  global  leader  in  network  security. 


Over  97,000  viruses  want  inside  your  network.  The  number  is  growing  — and  so 
is  the  severity  of  attacks.  Sophos  knows  how  to  stop  them.  Join  the  25  million 
business  users  in  150  countries  who  already  depend  on  our  proven  anti-virus, 
anti-spam  and  email  policy  enforcement  solutions  and  acclaimed  customer  support 
to  protect  against  multiple  evolving  threats. 

FREE  expert  resources  and  the  chance  to  WIN  a  Dell™  Pocket  DJ  at 
stopthethreat.com.  Learn  how  a  proven  multi-tier  network  security  solution 
addresses  your  network’s  protection,  performance,  productivity  and  policy 
enforcement  challenges.  Download  free  white  papers,  analyst  reports  and  webcasts 
from  independent  expert  sources  at  stopthethreat.com.  While  you're  there,  enter 
for  your  chance  to  win  one  of  two  Dell  Pocket  DJs  ($199  value  each). 

SOPHOS 

anti-virus,  anti-spam  and 
email  policy  for  business 


Free  downloads  and  the  chance  to  win  at  stopthethreat.com  ENTER  PIN:  ejm2xza 


Jimmy  had  a  fantastic  vacation.  Unfortunately, 
his  laptop  picked  up  a  tropical  disease. 

No  Problem! 

Introducing  the  world's  first  100%  driver-centric  desktop  firewall 
with  centralized  control 

You  know  the  story  -  Jimmy's  working  in  an  unprotected  network  environment.  Maybe  a  hot-spot  at  a  cafe  or 
airport.  He  checks  his  e-mail.  He  does  a  little  recreational  surfing.  And  his  laptop  is  open  to  attack.  But,  hey,  the  risk 
is  minimal. ..right? 

Now,  you  don't  need  to  worry.  The  NetOp  Desktop  Firewall  provides  all  the  benefits  of  both  personal  and  corporate 
firewalls  in  a  single,  powerful  package  to  shield  your  laptops  and  network  PCs.  Not  only  does  NetOp  prevent 
unwanted  or  dangerous  data  from  entering  or  leaving  your  laptops  -  wherever  they  happen  to  be  -  our  centrally 
managed  process  control  ensures  that  only  authorized  programs  and  services  can  run  on  your  system.  In  short, 
NetOp  expects  the  unexpected! 

But  we  wouldn't  want  you  to  take  any  risks.  So  try  it  yourself,  absolutely  freel  You'll  find  full  details  at 

www.CrossT ecCorp.com . 


www.CrossTecCorp.com  |  800.675.0729 


•  Centrally  manage  and  control  security 
policies 

•  Driver-centric  security  is  always  on  -  even 
before  you  receive  a  network  connection 

•  Intelligent  Network  Detection  switches 
security  policies  when  you  switch  networks 

•  Kill  unknown  processes  before  they  start 

•  Stealth  ports,  Advanced  event  logging, 
Block  all  network  access  &  More 


FREE 

Download  a  fully- 
functional  trial  copy  at 
www.flcfr ecCorp.com 


Desktop  Firewall 


©  Copyright  2000-2005  Danware  Data  A/S.  All  rights  reserved.  NetOp  and  the  red  kite  are  registered 
trademarks  of  Danware  Data  A/S.  Other  brand  and  product  names  are  trademarks  of  their  respective  holders. 


From  the  makers  of  award-winning  NetOp  Remote  Control  &  NetOp  School 


A  fun  and  informative  site  for  anyone  who's  ever 
been  in  the  data  center  when  the  bells  start  ringing. 

Securely  access  and  control  your  IT  infrastructure  with  solutions  that  simplify  and 
accelerate  incident  response,  service  restoration,  problem  diagnosis  and  repair  - 
helping  to  reduce  complexity,  MTTR  and  downtime,  while  improving  productivity, 
flexibility  and  ROI. 


Raritan 


When  you're  ready  to  take 


■  BY  SANDRA  GITTLEN 

K.C.  Claffy,  a  well-respected  member  of  the  computer  science  research  community,  has  made  it  her 
mission  to  understand  the  Internet  and  all  its  nuances.  As  principal  investigator  at  the  Cooperative 
Association  for  Internet  Data  Analysis  ( CAIDA ),  an  8-year-old  collaboration  among  commercial, 
scientific  and  government  entities,  Claffy  watches  over  the  Internet  —  collecting  and  analyzing 
performance  statistics  in  order  to  help  create  an  Internet  robust  enough  to  handle  ever-increasing  resource 
demands .  For  instance,  with  Claffy  leading  the  way,  CAIDA  is  the  go-to  organization  for  information  on  'Net-based 
vims  attacks.  In  this  interview,  Claffy,  one  of  our  50  most  powerful  people  in  networking  for  2004  ( www.nwfu 
sion.com,  DocFinder:  6321),  talks  about  security  on  the  Internet  and  in  the  next-generation  enterprise  network. 


In  your  time  at  CAIDA,  what  Internet  performance  trends  have  you  noticed? 

Consumers  and  producers  in  the  IT  marketplace  have  gotten  used  to  Moore’s 
Law  and  expect  similar  advancements  in  every  product  area.  Combine  the 
push  for  more/better/faster  with  globalization  and  commoditization  and  you 
get  the  happy  result  of  10  Gigabit  Ethernet  selling  for  the  same  cost  per  port 
in  2005  that  lOM-bit/sec  Ethernet  sold  for  in  1985.  At  this  point,  the  challenge 
isn’t  getting  enough  but  rather  keeping  it  long  enough  to  depreciate  it.  Even¬ 
tually,  we’ll  reach  a  saturation  threshold  where  a  vast  majority  of  powered 
devices  are  stagnant.  For  example,  a  TCP/IP  controllable  light  switch  in  your 
home  will  send  about  10  bits  a  minute,  but  because  of  cost-per-port  issues  it 
will  be  connected  by  a  54M-bit/sec  wireless  or  lOOM-bit/sec  wired  Ethernet. 
Upgrades  will  not  be  possible. 


end  result  will  be  a  rapid  advance  of  the  hardware-token  security  business. 
Imagine  something  like  Microsoft  Passport  but  not  controlled  by  any  one 
bank  or  any  one  software  company  but  rather  by  a  federation. 

What  advice  would  you  give  to  IT  executives  at  Fortune  500  companies  that  are  mov¬ 
ing  quickly  to  provide  Web-based  application  access  to  an  ever-widening  user  base? 

I  would  warn  them  against  single-vendor  solutions.  Even  though  multiple  ven¬ 
dors  are  more  expensive  to  manage  and  deploy  modern  enterprises  have  to 
have  diversity  as  a  core  value  and  management  of  diversity  as  a  core  strength. 
Follow  standards,  but  get  your  file  servers  and  desktop  clients  from  different  ven¬ 
dors.  Both  hardware  diversity  and  software  diversity  is  necessary 


When 


isn’t 


Internet  expert  K.C.  Claffy  talks  about 
next-generation  security  architectures. 


What  changes  have  you  seen  in  how  Internet  security  is  handled? 

The  greatest  single  advance  has  been  in  “up  leveling,”  the  training  and  salary 
of  law  enforcement  personnel  responsible  for  managing  information-age  crime. 
Ten  years  ago,  anyone  who  knew  how  to  track  down  a  child  pornographer 
could  make  a  ton  more  money  in  the  private  sector  than  in  the  public  sector. 
Today  these  skills  are  taught  at  the  community  college  level  and  just  about  every 
new  FBI  special  agent  is  an  expert  before  he  gets  his  badge.This  is  good,  but  it’s 
still  only  the  tip  of  the  iceberg.  Inter-governmental  cooperation,  treaties  and 
research  funding  for  information-age  affairs  is  still  tiny  compared  to,  for  exam¬ 
ple,  what’s  done  with  atomic  power  or  space  exploration. 

Do  you  see  any  performance  and  security  problems  that  can’t  be  solved? 

If  some  day  we  do  all  we  can  —  which  we’re  not,  today  —  we’ll  still  be  left 
with  human  nature.  Smart,  motivated  people  will  continue  to  find  ways  to 
break  laws  that  haven’t  been  invented  yet,  and  cause  law  enforcement  and 
the  technology  industry  to  innovate  to  keep  up.  It’s  possible  that  as  an  evolu¬ 
tionary  force,  this  is  good, since  it  ensures  that  complacency  can’t  happen. 

How  will  the  increasing  “Webification"  of  applications  and  use  of  Web  services  affect 
Internet  performance  and  security? 

As  a  ubiquitous  interface,  the  Web  will  make  it  easier  for  more  attackers  to 
try  to  guess  more  passwords. This  will  look,  at  first,  as  though  the  Web  is  less 
secure  than  the  proprietary  interfaces  it  replaces.  However,  the  real  weakness 
is  in  having  guessable  passwords,  or  in  having  passwords  at  all  rather  than 
hardware-token  security  schemes  (like  ATM  cards  and  PINs).  Hopefully,  the 


What  will  security  look  like  for  the  fully  automated,  virtualized,  on-demand  enterprise 
of  the  future?  How  will  that  be  different  than  today’s  security  architecture? 

Today’s  security  architecture  is  a  hodgepodge  of  proprietary  systems  with 
various  high  priests  and  sole  sources  keeping  it  all  running.  In  the  future,  we’ll 
see  single  sign-on  based  on  RFID  and  presence  and  PINs, retinas,  fingerprints, 
smartcards  and  other  hardware-token  schemes.The  time  is  coming  when  em¬ 
ployees  will  use  the  same  card  key  to  get  into  the  parking  lot  and  the  intranet 
Web  server.  When  they  get  home  and  do  their  Christmas  shopping  online, 
they’ll  be  using  an  RFID-enabled  “credit  card”  plus  a  USB  thumbprint  scanner 
to  authorize  credit  and  debit  transactions.  The  reason  we  don’t  have  this 
today  isn’t  that  it  hasn’t  been  invented  yet,  but  that  no  one  trusts  any  single 
company  to  bring  it  to  market,  and  the  federation  of  related  companies  and 
governments  for  this  hasn’t  been  formed  as  yet. 

What's  your  security  advice  when  it  comes  to  building  new  data  center  architectures? 

It’s  ‘motherhood  and  apple  pie’  time.  Security  doesn’t  depend  as  much  on  the 
quality  of  your  locks  or  firewalls  as  it  does  on  the  usability  of  the  secure  system. 
If  you  put  a  man-trap  on  your  data  center  requiring  a  30-second  entry/exit  pro¬ 
cess,  what  you’ll  get  is  the  back  door  propped  open  so  that  your  technicians  can 
go  for  a  smoke  when  they  want  one.  Similarly  if  you  put  in  a  firewall  so  tight  that 
most  things  can’t  get  through  it,  what  you’ll  get  is  a  bunch  of  employees  using 
public  802.1 1  wireless  networks  to  get  the  part  of  their  work  done  that  your  fire¬ 
wall  doesn’t  allow. 

Gittlen  is  a  technology  editor  in  Northboro,  Mass.  She  can  be  reached  at  sgit 
tlen@charter.net. 


CONSTANT. 

CONTROL. 


WITH  THE  DS  SERIES,  YOU  ARE  ALWAYS  IN  CONTROL. 

Local  data  centers.  Remote  offices.  Branch  locations.  They  are  all  within  your  reach.  The  company  who 
invented  KVM  over  IP  just  made  it  better. 

No  more  trips  back  to  the  office.  With  the  all  new  DSView®3  software,  you  can  control  servers 
and  serial  devices  from  a  single  browser  interface  -  you  can  even  power  cycle  or  watch  the  servers 
reboot.  Since  we  load  balance  user  authentication  for  multiple  sites,  you  get  faster  performance  and 
quick  access. 

You  know,  you  might  even  be  able  to  take  lunch.  For  a  virtual  tour  of  secure,  smarter  switching  from 
Avocent,  go  online  to  www.avocent.com/control  or  call  1-866-286-2368. 


Avoce 

The  Power  of  Being 


Avocent,  the  Avocent  logo,  DSView  and  The  Power  of  Being  There  are  registered  trademarks  of  Avocent  Corporation.  Copyright  ©  2005  Avocent  Corporation. 
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Can  your 
network 
transform 
business? 


your 


EVOLVE  AT  WILL.  Can  your  network  turn  a  tight  race  into  a  commanding  lead?  Can  it 
move  quickly  into  global  markets,  help  drive  down  costs  and  be  nimble  in  the  face  of 
changing  competition?  Can  it  offer  both  ultra -flexible  IP-VPNs  and  business  continuity 
services?  Can  it  deliver  innovative  security  and  IP  management  expertise?  With 
networking  solutions  from  AT&T,  you  can  integrate  your  entire  value  chain  into  a  single, 
globally  networked  community.  So  not  only  will  your  enterprise  be  able  to  reach  the 
entire  world — it  might  even  be  capable  of  changing  it.  CAN  YOUR  NETWORK  DO  THIS? 
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AT&T 

The  world's  networking  company 


To  find  out  how  AT&T’s  networking  solutions 
can  help  evolve  the  way  you  do  business,  go  to: 

att.com/transform 

©20C5  AT&T 
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■  WIRELESS  ■  REGULATORY  AFFAIRS  ■  CARRIER  INFRASTRUCTURE  DEVELOPMENTS 


Sprint  boosts  wireless  data  services 

Extended  Workplace  provides  unified  look  at  remote-access  options. 


Sprint's  wireless  SLAs 

The  carrier  is  the  first  to  offer  performance  guarantees  for  both  voice  and 
data  services. 


Calls  that  cannot 

Calls  that  end 

Network 

be  completed 

prematurely 

availability 

Wireless  voice  SLA 

Fewer  than  2% 

Fewer  than  2% 

Fewer  JhanHfcgg 

99.9% 

Wireless  data  SLA 

Fewer  than  1% 

99.5% 

■  BY  DENISE  PAPPALARDO 

Sprint  announced  last  week  at  CT1A 
Wireless  2005  that  it’s  beefing  up  its  wire¬ 
less  services  for  business  users. 

The  carrier  launched  its  Extended 
Workplace  remote  access  platform.  Sprint 
briefly  talked  about  the  service  earlier 
this  month.  Extended  Workplace  offers 
business  users  a  secure  platform  to 
access  their  corporate  VPNs  via  Sprint’s 
PCS  Vision  wireless  data  service,  dial-up 
or  Wi-Fi. 

The  carrier  teamed  with  service 
provider  Fiberlink,  which  also  offers 


secure  remote-access  services  to  busi¬ 
ness  users,  to  develop  a  single,  secure 
client  that  lets  users  see  all  their  access 
options  as  they  travel  around  the  globe. 


PCS  Vision  is  available  across  the  U.S., 
and  Sprint  has  a  network  of  14,000  Wi-Fi 
hot  spots. 

Although  the  service  doesn’t  include 


wired  Ethernet  locations  such  as  those 
offered  with  remote-access  services  from 
competitors  AT&T  and  MCI,  there  will  be 
future  releases  of  Extended  Workplace 
that  likely  will  include  additional  access 
options,  says  Barry  Tishgart,  senior  direc¬ 
tor  of  product  management  at  Sprint. 

The  service  is  available  for  $120  per 
month,  per  user,  for  unlimited  PCS  Vision 
and  Wi-Fi  access.  While  the  plan  includes 
dial-up,  users  pay  for  that  service  based 
on  how  much  they  use.  Users  will  pay  35 
cents  per  hour  for  local  dial-up,  $2.95  per 
hour  for  toll-free  dial-up  and  $1.40  per 
See  Sprint,  page  64 


IETF  eyes  'Net  emergency  communications 

System  would  route  urgent  calls  over  Internet  much  as  911  telephone  network  does  now. 


■  BY  CAROLYN  DUFFY  MARSAN 

The  IETF  has  kicked  off  an  effort  to  devel¬ 
op  communications  protocols  needed  to 
support  emergency  communications  over 


Takes 

■  AT&T  said  last  week  that  it  is  plan¬ 
ning  to  test  WiMAX  technology 
with  two  unidentified  customers  be¬ 
ginning  the  first  week  of  May.  WiMAX, 
the  IEEE  802.16  specification,  is  a  last- 
mile  wireless  technology  that  uses 
the  700-MHz  to  66-GHz  frequency  to 
deliver  transmission  speeds  from  2M 
to  6M  bit/sec.  This  is  AT &T’s  first 
WiMAX  trial.  AT &T  says  it  hopes  to 
use  the  technology  to  lower  its 
access  costs  paid  to  local  exchange 
carriers;  AT &T  says  it  pays  $8.5  bil¬ 
lion  per  year  to  LECs.  The  company 
expects  to  offer  wireless  last-mile 
services  next  year  but  has  not  men¬ 
tioned  how  its  pending  merger  with 
SBC  might  affect  its  plans.  The  two 
customers  testing  the  WiMAX  service 
are  based  in  Middletown,  N.J.,  near 
AT &T's  headquarters. 


the  Internet. 

The  new  IETF  working  group  is  called 
Emergency  Context  Resolutions  with  Inter¬ 
net  Technologies  (ECRIT).ECRIT  is  looking 
for  a  way  to  route  emergency  calls  over  the 


■  Equant  announced  last  week 
that  it  has  inked  two  deals  totaling 
$2.3  million  with  Ampacet,  a 
chemical  compound  manufacturer 
in  Tarrytown,  N.Y.  The  first  is  a 
three-year  contract  to  deploy  and 
manage  an  IP  VPN.  The  second  is 
a  two-year  contract  to  manage  its 
messaging  infrastructure.  Equant 
has  deployed  14  nodes  on 
Ampacet’s  global  network  in  North 
and  South  America.  Ampacet  is 
expanding  its  relationship  with 
Equant  to  add  Ampacet’s  corporate 
locations  in  Asia  and  Europe  to  its 
IP  VPN  network. 

Ampacet  previously  had  frame  relay 
services  from  Sprint,  but  after  billing 
and  network  performance  trouble, 
the  company  said  it  decided  to 
choose  a  new  provider.  After  talking 
with  several  global  service  providers 
Ampacet  says  it  selected  Equant 
because  the  carrier  had  real  net¬ 
work  presences  in  all  the  countries 
where  it  needed  services. 


Internet  similar  to  the  way  in  which  911 
calls  are  routed  over  the  public  switched 
telephone  network  (PSTN). 

If  successful,  ECRIT  would  have  a  signifi¬ 
cant  effect  on  service  providers,  including 
traditional  wireline  and  wireless  carriers, 
ISPs  and  start-up  VoIP  providers,  because 
they  would  need  to  upgrade  network 
hardware  and  software  to  support  any 
new  system. 

Universal  standards 

“The  ambition  of  this  working  group  is  to 
provide  a  universal  solution  for  a  particular 
part  of  the  emergency  communications 
problem,”  says  Jon  Peterson,  an  engineer 
with  NeuStar  who  serves  as  the  Transport 
Area  director  overseeing  ECRIT.  “We  are 
looking  at  how,  based  on  the  context  of  an 
emergency  call,  to  route  it  to  the  right 
emergency  call  center!’ 

ECRIT  is  not  addressing  prioritization  or 
pre-emption  of  emergency  calls,  which  is 
available  in  many  government  and  military 
telephone  systems.  Instead,  the  IETF’s  In¬ 
ternet  Emergency  Preparedness  working 
group  is  handling  those  issues  as  it  devel¬ 
ops  an  overall  architecture  for  communi¬ 
cations  systems  used  for  disaster  recovery 

“We’re  looking  at  the  consumer,  911- 
class  problem  over  the  public  Internet,” 
Peterson  says. 

Because  it  addresses  this  broader  need, 
“ECRIT  is  the  most  important  protocol 
work  going  on  in  the  IETF  related  to  emer¬ 


gency  communications,”  he  says. 

The  IETF  announced  the  ECRIT  working 
group  in  February  and  ECRIT  held  its  first 
meeting  March  9  in  Minneapolis. 

The  PSTN  has  been  configured  to  recog¬ 
nize  specific  numbers  such  as  91 1  or  1 12  as 
calls  for  emergency  services.These  calls  are 
sent  to  special  call  centers  that  handle  em¬ 
ergency  response.  These  emergency  calls 
are  associated  with  the  physical  location  of 
the  call  originator  so  they  can  be  routed  to 
the  appropriate  emergency  call  center. 

With  its  many  overlay  networks  and  tun¬ 
neling  mechanisms,  the  Internet  is  a  more 
challenging  infrastructure  for  building  an 
emergency  communications  system  than 
the  PSTN,  IETF  participants  say  The  ECRIT' 
working  group  is  trying  to  define  the 
requirements  of  Internet-based  emergency 
calling  and  to  select  appropriate  technolo¬ 
gies  for  describing  the  location  of  the  cali 
originator  and  managing  the  call  routing. 

Video,  text  messaging  service 

ECRIT  is  focused  on  VoIP  calls,  but  the 

See  IETF,  page  P4 
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EYE  ON  THE 
CARRIERS 

Johna  Till 
Johnson 


The  Germans  seem  to  have  a  word  for 
everything.  Schadenfreude  is  usually 
translated  as  “glee  over  another’s  mis¬ 
fortune.”  And  it’s  how  I  expected  to  feel 
when  the  news  came  down  last  week  that 
a  New  York  jury  found  Bernie  Ebbers  guilty 
of  conspiracy  and  eight  counts  of  account¬ 
ing  fraud. 

Guess  what?  I’m  not  feeling  gleeful.  The 
closest  way  to  describe  how  I  feel  is 
relieved.  Relieved  because  12  ordinary 
New  Yorkers  actually  get  it:  It’s  not  OK  to  lie, 
cheat  and  steal  your  way  to  success.  And 
it’s  not  OK  to  let  others  do  your  dirty  work 
and  then  argue  that  because  you  didn’t 


Ebbers  verdict:  Comeuppance,  without  glee 


understand  the  details  you  should  be  let 
off  the  hook. 

The  value  of  a  guilty  verdict,  in  many 
cases,  isn’t  the  ability  to  deter  future  crimi¬ 
nals  or  cause  current  ones  to  suffer.  It’s  a 
way  we  as  a  society  associate  a  comeup¬ 
pance  with  a  crime,  and  by  doing  so,  define 
who  we  are  and  what  kind  of  people  we 
want  to  be.  By  saying  certain  behavior  mer¬ 
its  punishment,  we’re  also  defining  what 
kind  of  behavior  we  expect  and  demand 
from  our  citizens. 

Telling  the  truth  and  taking  responsibility 
for  our  actions  are  two  of  the  values  that 
were  reaffirmed  last  Tuesday.  So  I’m 
relieved  that  at  least  some  of  us  still  know 
right  from  wrong  and  believe  in  account¬ 
ability  and  personal  responsibility 

That  doesn’t  mean  last  week’s  verdict  is  a 
happy  event.  Convicting  Ebbers  doesn’t 
return  the  $1 1  billion  to  shareholders  who 
lost  their  life’s  savings.lt  doesn’t  return  jobs 


to  the  thousands  of  MCI  and  WorldCom 
employees  who  lost  their  livelihoods.  It 
doesn’t  resuscitate  the  trashed  careers  of 
the  executives  at  other  telcos  who  had  to 
compete  with  fraudulent  performance  and 
cooked  books.  Sending  Ebbers  to  the  slam¬ 
mer  just  adds  one  more  damaged  life  and 
family  —  his  —  to  the  thousands  his 
actions  left  in  their  wake.  No,  this  convic¬ 
tion  is  not  an  occasion  for  glee  or  even 
quiet  rejoicing. 

But  it  is  a  good  reminder  to  take  a  minute 
and  review  our  fundamental  beliefs  —  the 
standards  of  behavior  that  we  expect  and 
demand  from  citizens,  and  the  violation  of 
which  become  grounds  for  prosecution. 

Here  are  mine: 

•  Leaders  (whether  senior  executives  at 
for-profit  or  not-for-profit  organizations,  pol¬ 
iticians  or  their  appointees,  or  military  offi¬ 
cers)  assume  responsibility  for  defining 
and  living  up  to  a  high  ethical  and  legal 


standard.  They  set  the  example  for  every 
individual  in  their  organizations. 

“I  didn’t  know”  isn’t  an  excuse  for  leaders. 
It’s  your  job  to  know  —  if  you  don’t,  step 
down  and  ask  someone  else  to  lead. 

•  Trust  is  an  essential  commodity  that 
must  be  earned  on  an  ongoing  basis,  by 
telling  the  truth  and  living  up  to  your  word 
—  and  when  necessary,  admitting  and 
making  reparations  for  errors. 

•  CEOs  of  public  companies  need  to 
remember  that  they’re  stewards  of  the 
public  trust.  If  they  want  glamour,  glory 
and  limited  personal  responsibility  — 
they  ought  to  become  actors  or  rock 
stars.  Maybe  Ebbers  should  have  stuck  to 
coaching  basketball. 

Johnson  is  president  and  chief  research 
officer  at  Nemertes  Research,  an  indepen¬ 
dent  technology  research  firm.She  can  be 
reached  at  johna@nemertes.  com. 
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group’s  charter  says  it  also  will  consider 
the  use  of  video  or  text-messaging  com¬ 
munications  to  request  emergency  ser¬ 
vices. 

Hideki  Arai,  an  engineer  with  the  Oki 
Electric  Industry  in  Japan,  said  the  new 
system  “must  be  equivalent  to  traditional 
emergency  calling  . . .  and  it  must  be  easy 
to  migrate  from  the  PSTN  to  the  Internet.” 

Arai  briefed  the  working  group  on  an 
ongoing  Japanese  government  effort  to 
outline  its  own  requirements  for  emer¬ 
gency  calling  with  IP  telephony  services. 

Brian  Rosen,  president  of  start-up 
Emergicom,  says  the  Internet  emergency 
calls  also  need  to  be  traceable  in  case 
something  goes  wrong.“You  need  to  know 
what  happened  to  a  call,”  Rosen  says. You 
also  need  a  call-back  mechanism  in  case 
the  caller  hangs  up,  he  adds. 

Challenges  loom 

Participants  in  the  ECRIT  working  group 
agree  that  building  an  Internet-based 
emergency  communications  system  is  a 
challenge. 

“One  of  the  hardest  things  is  how  much 
do  we  worry  about  being  backwards  com¬ 
patible,”  said  Henning  Schulzrinne,  a  pro¬ 
fessor  of  computer  science  at  Columbia 
University  who  outlined  several  require¬ 
ments  for  emergency  calling  using 
Session  Initiation  Protocol. 

The  ECRIT  system  also  needs  redundan¬ 
cy  and  reliability 

“You  need  to  have  congestion  control 
everywhere  because  when  bad  things 
happen  lots  of  people  make  emergency 
calls,”  Rosen  says. 

The  ECRIT  working  group  seems  to  favor 
using  protocols  developed  by  another 
IETF  working  group  called  Geographic 
Location/Privacy  to  fetch  and  deliver  loca¬ 
tion  information  to  its  emergency  call 
routing  system. 


The  Internet’s  911 

Core  requirements  for  an  Internet- 
based  emergency  communications 
system  include: 


Identifying  and  validating  emergency 
calls  so  that  all  carriers  along  the  call 
path  know  it  is  an  emergency  call. 


•  Determining  the  location  of  calls. 


•  Routing  calls  to  an  appropriate 
emergency  call  center. 


•  Protecting  against  spoofing. 


The  ECRIT  working  group’s  first  mile¬ 
stone  is  to  develop  a  document  that 
defines  the  terminology  involved  in  emer¬ 
gency  communications  over  the  Internet 
and  lay  out  the  requirements  necessary 
for  the  system. The  group  says  it  hopes  to 
have  this  document  completed  in  April. 

After  that,  the  working  group  has  set  an 
aggressive  timetable  for  its  work.  It  plans  to 
complete  a  document  outlining  security 
considerations  in  April.  By  August,  the 
group  intends  to  complete  three  docu¬ 
ments:  one  on  setting  up  communications 
sessions  between  callers  and  emergency 
response  centers;  another  on  associating 
sessions  with  physical  locations;  and  a 
third  on  routing  emergency  calls  based 
on  location  information. 

Peterson  says  he’s  optimistic  that  ECRIT 
can  meet  its  schedule.“At  the  meeting,  we 
had  many  different  groups  presenting  that 
represented  Japan,  Europe  and  North 
America,  and  they  all  outlined  the  same 
core  requirements,”  he  said.“That  was  very 
heartening.”  ■ 
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continued  from  page  63 

hour  for  domestic  roaming  off  of  Sprint’s 
network. 

First  wireless  data  SLA 

Sprint  also  announced  at  the  show  the 
first  wireless  data  service-level  agreement 
(SLA). 

Last  summer  Sprint  became  the  first  wire¬ 
less  service  provider  to  offer  an  SLA  for  its 
mobile  voice  services  for  business  cus¬ 
tomers  (see  www.nwfusion.com,  Doc- 
Finder:  6336). 

Sprint’s  wireless  data  SLA  guarantees 
99.5%  network  availability  and  that  wireless 
data  blocks  will  be  less  than  2%  and  wire¬ 
less  data  drops  will  be  less  than  1%. 

If  the  carrier  misses  these,  metrics  users 
are  entitled  to  a  10%  credit  of  their  wireless 
data  monthly  recurring  charge.  In  other 
words,  if  a  company  pays  $1,000  per  month 
for  all  of  its  wireless  data  services  it  will 
receive  a  $100  credit. 

The  credits  are  not  proactive.  Users  must 
log  on  to  a  secure  Sprint  Web  portal  to  view 
the  carrier’s  monthly  network  performance 
statistics.  If  Sprint  didn’t  meet  its  SLA,  the 
user  then  has  to  request  a  credit. 

“It’s  not  the  type  of  feature  that’s  going  to 
get  customers  to  sign  deals,” says  Bob  Egan, 
president  of  consulting  firm  Mobile 
Competency  But  more  business  users  inter¬ 
ested  in  Sprint  services  might  call  the  car¬ 
rier  to  get  information,  he  says. 

One  drawback  of  the  SLA  is  that  users 
are  required  to  have  someone  internally 
manage  and  monitor  it,  Egan  says.  Every 
month  it’s  that  person’s  responsibility  to 
check  the  Web  site,  request  a  credit  from 
Sprint  if  necessary  and  follow  up  on  those 
requests. 

“It  requires  resources  that  some  users 
may  not  have,”  he  says. 

Sprint’s  Tishgart  points  out  that  this  is 
Sprint’s  first  wireless  data  SLA  and  that  it 
plans  to  continue  to  improve  on  the  partic¬ 


ulars  of  the  guarantee. 

The  carrier  also  announced  the  general 
availability  of  its  Sprint  Managed  Mobility 
Service  (DocFinder:  6337). SMMS  is  a  man¬ 
agement  tool  that  provides  rate  optimiza¬ 
tion,  over-the-air  software  upgrades,  securi¬ 
ty  features  and  asset  management  features. 

Imagistics,  a  document  management 
company,  started  using  the  service  in 
October  last  year  as  it  was  upgrading  all  of 
its  employees’  Treo  wireless  devices. 
Initially  the  Trumbull,  Conn.,  company 
used  the  tool  to  replace  about  1,000  Treo 
300s  with  Treo  600s. 

“Sprint  managed  the  deployment  with¬ 
out  a  hitch,”  says  John  Chillock,  vice 
president  of  customer  service  opera¬ 
tions  at  Imagistics.  “I  could  not  have 
technicians  in  the  field  with  devices  that 
weren’t  running.” 

Imagistics  used  the  service  and  procure¬ 
ment  piece  of  the  SMMS  service,  which 
falls  under  asset  management,  to  upgrade 
its  employees’  devices.  It  is  also  using  the 
security  features,  which  include  zapping 
phones  remotely  if  they  are  lost  or  stolen, 
rendering  them  useless  in  the  hands  of  a 
thief;  and  erasing  corporate  data.The  com¬ 
pany  also  uses  the  billing  tools  that  let  it 
ensure  its  pooled  minutes  plan  meets  the 
company’s  needs,  he  says.  ■ 
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Explore  options  in  local-  and  wide-area  wireless  data 
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VIRUSES  CAN  REPLICATE  1,000  TIMES  A  MINUTE. 

How  fast  can  you  install  a  patch? 


Antivirus  protection  is  a  never-ending  race  against  time.  And  the  bad 
guys  get  faster  every  day.  Good  thing  Websense  software  fills  the  time 
and  technology  gapsthat  existing  antivirus  and  security  solutions  can't 
address.  Close  the  security  gap.  Download  your  free  evaluation 
today,  www.websense.com/patch5 
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Speed  and  Range  expansion 


Watch  streaming  video  or  play  multi-player  games 
faster  than  ever  before.  And  do  it  comfortably  from 
places  that  were  previously  unreachable.  Introducing 
the  Wireless-G  with  SRX  series,  the  newest,  fastest, 
most  powerful  addition  to  the  Linksys  Wireless-G 
family. 

Enjoy  the  Wireless-G  with  SRX  experience: 

•  Up  to  8  times  faster  than  standard  Wireiess-G 

•  Increased  wireless  range  up  to  3  times  farther 
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•  Compatible  with  Wireless-G  and  B  networks 
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MIMO  products  boost  802.1 1g  nets 


■  BY  CRAIG  MATHIAS 

Wireless  LANs  are  a  natural  fit  in  the 
home  and,  for  some,  a  constant  source  of 
fits.  Standard  802.1 1  WLANs  suffer  limited 
throughput,  which  only  worsens  as  the 
distance  between  the  client  and  the 
access  point/router  increases.  The  highly 
variable  nature  of  radio  propagation 
means  seemingly 
short  distances  can 
yield  poor  results, 
especially  when  walls 
and  floors  get  in  the  way 

To  improve  conditions  and  make  WLANs 
robust  enough  to  stream  media,  hardware 
vendors  have  begun  applying  multiple- 
input/multiple-output  (MIMO)  technology 
MIMO  uses  multiple  antennas  on  each  end 
of  a  radio  link  to  send  and  receive  several 
unique  radio  signals  in  a  single  radio  fre¬ 
quency  channel.  The  ability  to  send  multi- 
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■  Netgear  has  announced  plans  to 
develop  a  HomePlug  wall-plugged 
Ethernet  bridge  and  adapters  based 
on  Intellon’s  85M  bit/sec  power-line 
networking  chipset.  The  products  will 
be  suitable  for  high-bandwidth  home 
network  multimedia  applications  such 
as  TV  over  IP,  VoIP  and  multi-room 
DVR.  Netgear  has  yet  to  announce 
pricing  or  availability.  The  Horne- 
PlugAV  specification,  which  will  pro¬ 
vide  100M  bit/sec-plus  data  rates,  is 
expected  to  be  released  in  June. 

■  The  HomePlug  Powerline  Alli¬ 
ance  has  announced  it  will  develop  a 
specification  for  a  low  command  and 
control  technology  that  will  co-exist 
with  HomePlug  power-line  technology. 
The  specification  will  ailow  for  whole- 
house  control  of  lighting  and  appli¬ 
ances,  and  let  them  respond  to  simple 
commands  like  "turn  on”  and  "turn 
off”  and  to  report  their  status  to  a 
controller  device.  Applications  will  in¬ 
clude  security  and  safety  monitoring, 
device  monitoring,  status  reporting 
and  energy  management. 


pie,  distinct  datastreams  over  the  same  sig¬ 
nal  simultaneously  known  as  spatial  multi¬ 
plexing,  can  double  and  even  triple  data 
throughput  rates. 

Moreover,  sophisticated  algorithms  create 
a  signal  that’s  louder,  which  translates 
directly  into  corresponding  improvements 
in  performance. 

Belkin  entered  the  consumer  market  last 
fall  with  the  first 
MIMObased  products, 
built  using  Airgo 
Networks’  chipset  — 
products  Belkin  calls  pre-N,  in  reference  to 
the  IEEE’s  upcoming  802.1  In  standard. 

Since  last  fall,  Linksys,  D-Link  Systems 
and  Netgear  have  shipped  “MIMO-based” 
products.  However,  the  technologies  they 
use  and  call  MIMO  vary  considerably. 
While  all  three  use  multiple  antennas  to 
send  and  receive  multiple  datastreams 
over  the  same  signal,  only  the  Linksys 
SRX  line  uses  spacial  multiplexing  (like 
Belkin)  to  transmit  multiple,  distinct 
datastreams  over  the  same  signal. 

These  first  MIMO-based  products  won’t 
be  compatible  with  those  based  on  the 
final  802.1  In  specification.  However,  they 
are  fully  Wi-Fi-compliant.  Three  important 
questions  remain:  Do  today’s  MIMO-based 
products  provide  sufficient  performance  to 
justify  the  cost?  How  does  the  performance 
compare  with  standard  802.1  lg  products? 
Do  they  cause  interoperability  problems  on 
a  mixed  network? 

To  find  out,  we  devised  a  series  of  tests  to 
determine  how  MIMO-based  products 
would  fare  against  standard  802.1  lg  gear.To 
mitigate  the  effect  of  radio-related  artifacts, 
we  rented  a  house  for  the  sole  purpose  of 
running  these  tests.  It  was  empty  except  for 
our  equipment  and  us. 

To  benchmark  performance,  we  used 
Iperf,  a  free  LAN  test  suite  (www.nw 
fusion.com,  DocFinder:  5852).  We  ran  the 
same  test  in  each  case;  the  only  variables 
being  the  devices  tested  and  their  loca¬ 
tions.  Because  location  can’t  be  repro¬ 
duced  precisely  with  antenna  orientation, 
we  placed  the  client  notebooks  on  turnta¬ 
bles  revolving  at  45  seconds  per  rotation. 
This  let  each  radio  cycle  pass  through  a 
range  of  orientations,  factoring  out  any 
overly  beneficial  (or  detrimental)  position¬ 
ing.  Two  full  cycles  (90  seconds)  defined 
each  run. 

We  tested  two  MIMO  products,  Belkin’s 
pre-N  router  (F5D8230-4)  and  PC  card 
(F5D8010);and  four  standard  802.1  lg  prod¬ 
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Belkin’s  MIMO  technology  outperformed  other  vendors'  non-MIMO 
equipment  (rates  are  in  megabits  per  second). 
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ucts  —  the  Linksys  WRT54GS  router  and 
WPC54GS  PC  Card,  and  the  Netgear 
WGU624  router  and  WG51  IT  PC  Card.  (We 
turned  off  the  power  management  on  our 
Dell  Inspiron  8600  notebook  and  used 
default  driver  settings.) 

The  Iperf  benchmark  ran  in  three  config¬ 
urations.  First,  we  put  the  client  and  router 
in  the  same  room  with  13  feet  apart,  which 
served  as  a  baseline.  For  the  second,  we  had 
the  client  on  the  same  floor  as  the  router, 
45.8  feet  away  and  three  walls  between 
them.  For  the  third,  we  had  the  client 
upstairs,  46. 7  feet  away  from  the  router,  with 
four  walls  and  a  floor  between  them.  We 
tested  all  combinations  of  clients  and 
routers,  and  examined  upstream  and  down¬ 
stream  performance. 

Not  surprisingly  the  MIMO-based  prod¬ 
ucts  from  Belkin  yielded  the  best  through¬ 
put  and  range.  In  the  homogeneous  tests 
(client  and  router  from  the  same  vendor), 
the  non-MIMO  configurations  had  only  41% 
to  72%  of  the  throughput  of  the  pure  MIMO- 
client  and  router.  Moreover,  a  mixture  of 
MIMO  and  non-MIMO  products  yielded  bet¬ 
ter  results  in  every  case  than  a  homoge¬ 
neous,  non-MIMO  configuration.This  shows 
that  MIMO  provides  a  benefit,  even  when 
implemented  on  only  one  end. 


We  experienced  no  interoperability  prob¬ 
lems  —  the  MIMO  gear  worked  well  with  all 
the  other  equipment.  Finally  having  MIMO 
on  at  least  one  end  of  the  connection  let  us 
establish  a  link  when  we  couldn’t  establish 
a  homogeneous  connection. 

The  pure  Belkin  configuration  provided 
nearly  15M  bit/sec  of  throughput  in  the 
upstairs  test,  where  the  homogeneous  con¬ 
figurations  of  the  other  products  usually 
failed  to  connect  at  all. 

Our  interoperability  tests  put  to  rest  any 
concerns  about  the  ability  of  Belkin  pre-N 
products  to  work  with  standard  802.1  lg 
offerings.  The  performance  improvements 
with  MIMO-based  products  on  only  one 
end  of  the  connection  were  impressive. 

We  recommend  these  first  MIMO-based 
products  to  residential  users.There  is  sign  if 
icantly  better  throughput  and  range  perfor¬ 
mance  than  conventional  products  in 
every  case  we  tested.  MIMO-based  is  a  bel¬ 
ter  approach  than  adding  third-party  'nigh- 
gain  antennas  or  active  repeaters  —  it’s  less 
complex  and,  even  with  the  higher  price-, 
usually  less  expensive. 

Mathias  is  the  principal  analyst  at  Fbrpoim 
Group.  He  can  be  reached  at  craig@farpom  ! 
group.com. 
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Securing  Enterprise  Wireless  Networks  and  Mobile  Devices 


“Nearly  one  out  of  every 
two  recorded  digital 
attacks  are  now  taking 
place  via  the  wireless 
route  as  opposed  to 
one  out  every  ten, 
at  the  start  of  2004.” 

mi2g  Intelligence  Unit 


Do  You  Have  Your 
Wireless  Security 
Plans  in  Place? 


The  only  event  focused  on  enterprise  wireless  security  solutions! 

Over  25  of  the  world’s  top  wireless  security  experts,  including: 

•  Craig  Mathias,  Principal,  Farpoint  Group 

•  lain  Gillott,  Principal,  iGillottResearch 

•  Frank  Hanzlik,  Managing  Director,  Wi-Fi  Alliance 

•  Dale  Kutnick,  Chairman  &  Sr.  Research  Advisor,  META  Group 

•  Les  Owens,  Mobile  &  Wireless  Security  Booz  Allen  Hamilton 

•  Lisa  Phifer,  Vice  President,  Core  Competence  Inc. 

•  Paul  Simmonds,  Global  Information  Security  Director, 

ICI  Pic.  &  Founder,  Jericho  Forum 

Pre-conference  Seminar  on  April  19: 

Understanding  Wi-Fi  Risks  and  Countermeasures 


Corporate  Sponsors: 

Media  and  Research  Sponsors: 

Analyst  Sponsors: 

'-^AIRMAGNET 

Network 

NetworkWorld  KE 

Farpoint 

Group 

NEWBURY 

NETWORKS 

FierceWiFi 

swung  JZ 

Wireless 

Rf.  IS 

(fj  Fierce  Wireless 

jJ^METAgROUP 

RDVINGo  RLAfslETi 

InfbWorld 

Mobile 

Enterprise 

WiMAX  Trends* 

RETHINK  IT 

unicorn 

<T  R«aw  Pleiad 

V  /llEr  lnrr  Antiui 

Y  wireless  nonciorce  uihikl 

Endorsed  by: 


□  LIBERTY 
WD  ALLIANCE 

PROJECT 


Mass 

Software 

Council 


("mobile  — _ 

V  ENTERPRISE) 


ill  I  A  N  C  F 


RFID  readers  route  tag  traffic 


RFID  tag  reader 

Radio  frequency  identification  tag  readers  are 
designed  to  be  full-fledged  network  devices  that  act 
as  gateways  between  RFID  tags  and  IP-based  networks. 


HOW  IT  WORKS 
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O  Large  populations  of  RFID  tags  are  attached  to  physical  objects.  The  tags  move  through  multiple  locations,  using 
either  high  frequency  (HF)  or  ultra  high  frequency  (UHF)  radio  signals  to  communicate  with  RFID  tag  readers. 

©  The  RFID  tag  readers  deal  with  collisions  between  tags  and  extract  data  from  each  tag.  Typically,  this  data 
is  the  IP  address  —  like  electronic  product  code,  which  can  be  used  to  find  networked  data  associated  with 
that  tag.  The  reader  then  filters  out  redundant  reads  and  also  may  assign  prioritization  to  different  identities. 

©  Wired  or  wireless  TCP/IP  is  used  to  send  the  extracted  data  onto  a  corporate  network  for  processing  by 
enterprise  systems  such  as  databases  and  business  applications. 


■  BY  MARGARET  WASSERMAN 

At  every  turn,  networks  must  handle  ad¬ 
ditional  traffic  from  new  sources.  One  of 
the  latest  and  soon-to-rise  sources  of  in¬ 
creased  network  traffic  arises  from  the  im¬ 
plementation  of  radio  frequency  identifi¬ 
cation,  which  is  being  used  for  needs  such 
as  supply-chain  management,  tracking  air¬ 
port  baggage  and  prescription  medica¬ 
tion  shipments.  These  examples  alone 
suggest  a  growing  volume  of  TCP/IP  net¬ 
work  traffic  and  data. 

While  conventional  RFID  readers  were 
essentially  data  radios,  today’s  enterprise- 
grade  RFID  tag  readers  —  created  specifi¬ 
cally  for  electronic  product  code  (EPC) 
usage  —  have  been  designed  to  be  full- 
fledged  network  devices  that  can  support 
mission-critical  operations.  In  addition  to 
managing  a  dynamic  population  of  tags, 
then  routing  data  into  networks, databases 
and  business  applications,  these  RFID 
readers  have  to  speak  TCP/IP  natively  and 
fully  support  standard  network  technolo¬ 
gies  such  as  DHCP  User  Datagram  Pro¬ 
tocol  (UDP)/IP  over  Ethernet,  802.1  lx, 
HTTPSNMP  and  remote  upgrades. 

This  design  lets  RFID  be  widely  deploy¬ 
ed  in  an  economical, scalable, secure  and 
manageable  manner  on  WANs  and  LANs, 
even  with  the  two-way  demands  of  RFID 
data  for  networks  and  changes  to  RFID 
tags  emanating  from  within  the  network. 

Driven  by  speedy  network  processors 
and  advanced  software,  RFID  readers  pro¬ 
vide  the  same  load  balancing,  QoS  and 
security  found  in  high-end  IP  routers.  A 
tag  reader  will  facilitate  advanced  appli¬ 
cations  by  acting  as  a  gateway  between 
an  IP  network  and  tags  that  provide  read- 
write  data  storage,  on-board  sensors  and 


other  features. 

The  network  gateway  functionality  of 
RFID  readers  becomes  even  more  critical 
in  light  of  the  channel-sharing,  data-ex- 
change  and  air-interface  protocols  re¬ 
quired  to  accommodate  two-way  TCP/IP 
traffic.  Before  exchanging  information 
with  a  tag,  a  networked  reader  searches 


for  and  retrieves  the  ID  of  each  tag  in  its 
read  zone.  This  discovery  process  pro¬ 
duces  a  list  of  IDs,  which  then  must  be 
made  available  to  an  external  software 
system  such  as  a  warehouse  management 
system  that  resides  on  a  remote  net¬ 
worked  server. 

When  the  warehouse  management  sys¬ 


tem  wishes  to  read,  write  and  update  data 
on  the  tag,  it  routes  the  updated  data  back 
to  the  tag  via  the  reader  through  which 
the  tag  was  orignally  read.  This  is  analo¬ 
gous  to  an  IP  routing  procedure  in  which 
a  reader  forwards  an  encapsulated  data 
packet  to  a  specific  tag. 

The  scenario  is  clearer  in  the  case  of 
sensor  or  actuator  tags,  which  typically 
contain  a  miniature  battery  and  are  used 
for  applications  such  as  time-temperature 
monitoring  of  perishable  goods  in  the 
supply  chain. 

First,  the  same  networked  discovery 
process  applies  in  the  case  of  sensor  tags. 
Then,  bidirectional  communication  oc¬ 
curs  between  the  tag  and  software  resid¬ 
ing  on  a  networked  server.  In  some  cases, 
such  as  time-critical  movement  of  tagged 
packages  on  a  conveyor  belt,  the  reader 
might  be  given  authority  to  act  quickly  on 
a  networked  server’s  behalf.  This  can  be 
accomplished  by  running  specialized 
software  on  the  reader,  or  by  implement¬ 
ing  and  populating  a  policy-based  deci¬ 
sion-making  mechanism,  mimicking  those 
employed  by  high-end  IP  routers. 

The  new  RFID  readers  are  designed  to 
provide  the  functionality  of  a  gateway  for 
large  networks.  RF  interfaces  to  the  tags 
reside  on  one  side  of  a  reader,  with  a  data¬ 
base  server  and  a  TCP/IP  network  inter¬ 
face  on  the  other  side,  fully  equipped  to 
be  part  of  a  networked-distributed  data 
aggregation  and  analysis  system. 

Wasserman  is  vice  president  of  develop¬ 
ment  for  ThingMagic,  serves  on  the  IETF 
Steering  Group  and  is  a  member  of  the 
Board  of  Trustees  of  the  Internet  Society: 
She  can  be  reached  at  margaret@ 
thingmagic.com. 


Dr.  Internet 


By  Steve  Blass 


Is  there  a  way  to  support  Active  Server  Page  docu¬ 
ments  on  an  Apache  Web  server  running  on  a 
Linux  system? 

Yes  —  Apache::ASP,  available  at  www.apache- 
asp.org,  supports  ASP  on  Apache  Web  servers 
that  use  Mod  Perl.  The  package  works  with  Win¬ 
dows  and  Linux  systems.  The  Apache::ASP  pro¬ 
gram  can  be  installed  using  Perl  CPAN.  Start 
"perl  -MCPAN  -e  shell"  to  start  the  CPAN  shell 


interface.  At  the  cpan>  prompt,  issue  the  com¬ 
mand  “install  Bundle::CPAN"  to  update  the  local 
copy  of  the  CPAN  program.  After  the  update  com¬ 
pletes,  issue  the  command  "reload  cpan.”  Now 
you  can  install  Apache::ASP  by  typing  “install 
Bundle::Apache::ASP”  at  the  cpan>  prompt.  After 
installing  that  module,  copy  the  contents  of  the 
site/eg/  directory  from  the  Apache::ASP  installa¬ 
tion  directory.  Add  a  <Directory>  section  to  your 
Apache  httpd.conf  file,  providing  “AllowOverride 


All”  privileges  for  the  .htaccess  file  in  the  newly 
created  ASP  directory  in  your  Apache  document 
tree.  Restart  Apache  after  putting  the  example 
files  (and  .htaccess  file)  in  place  and  you  should 
see  the  Apache::ASP  examples  home  page.  The 
provided  examples  include  a  page  hit  counter,  fill 
out  form  samples  and  XML  parsing  demonstration 
code  to  get  you  started  with  programming  ASP 
files  that  can  be  delivered  from  an  Apache  Web 
server. 
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Back  that  thang  up  -  some  more! 


NETWORK  m 

mmm  m 

Mark  I 
Gibbs 


Last  week  we  started  with  a  rant, 
segued  into  a  review  of  the  IntraDyn 
RocketVault  and  wound  up  talking 
about  the  various  technologies  that 
underlie  the  RocketVault.We  ended  with  a 
discussion  of  the  Common  Internet 
Filesystem. 

We’re  sure  many  of  you  were  left  won¬ 
dering:  “So  where  is  CIFS  in  the  standards 
process  today?”The  answer  is,  sort  of  float¬ 
ing  around.  We  can’t  find  any  specific 
work  on  CIFS  at  the  IETF  other  than  some 
draft  standards  that  exceeded  the  six- 
month  limit  after  which  they  get  dropped. 
Ho  hum. 

Despite  CIFS  being  in  standards  limbo,  it 
is  now  so  widely  used  and  so  well  under¬ 
stood  that  it  is  here  to  stay.  In  other  words, 
it  is  “a  good  thing”  (copyright  Martha 
Stewart). 

Anyway  back  to  the  IntraDyn  Rocket- 
Vault.  We  really  like  this  device.  It  is  a 
terrific  solution  for  small  businesses  and 
branch  offices  despite  a  few  rough  edges. 


Installation  is  simple  enough:  Connect 
the  RocketVault  to  your  DHCP-enabled  net¬ 
work,  browse  to  http://rocketvault/,  and  log 
on  using  the  default  name  and  password. 
Configuration  is  straightforward. 

As  we  said  last  week,  the  RocketVault 
backs  up  any  files  that  it  can  see  on  any 
SMB/CIFS  network  shares  to  which  you 
care  to  direct  it.  You  start  by  defining 
groups  of  shares  and  give  each  group  a 
combination  of  daily,  weekly  and  monthly 
back-up  schedules. 

With  each  of  those  schedules,  you  also 
specify  a  retention  period  that  defines  the 
number  of  backups  that  will  be  kept.  For 
example,  if  you  are  configuring  weekly 
backups  and  you  select  12  week  retention, 
then  when  Week  13  rolls  around  the  back¬ 
up  from  the  first  week  gets  deleted. 

The  various  schedules  allow  for  a  hierar¬ 
chy  of  restore  points.  For  example,  you 
might  have  daily  backups  on  workdays 
with  a  4-week  retention  (that  is,  one 
month’s  worth).  And  you  also  might  have 
weekly  backups  performed  on  a  Sunday 
with  a  12-week  retention,  and  monthly 
backups  performed  on  the  first  of  each 
month  with  a  six-month  retention. 

Unlike  other  back-up  systems,  the 
RocketVault  doesn’t  require  you  to  specify 
whether  backups  are  to  be  full  or  incre¬ 


mental  —  the  device  determines  the  best 
method  based  upon  the  number  of 
changed  files.  The  goal  is  to  balance  the 
back-up  load  so  the  total  run-time  of  each 
backup  is  roughly  constant  from  day  to 
day 

A  feature  called  Remote  Vault  AES  —  the 
AES  part  signifies  that  this  feature  option¬ 
ally  supports  encrypting  the  back-up  data 
using  the  256-bit  Advanced  Encryption 
Standard  —  lets  the  RocketVault  also  back 
up  any  of  the  defined  groups  to  a  remote 
FTP  server. 

A  gotcha  here  is  that  the  RemoteVault 
facility  doesn’t  support  passwords  for 
remote  servers  that  contain  spaces  and 
special  characters,  a  limitation  that  might 
conflict  with  your  system’s  password  policy 

The  RocketVault  also  can  be  used  to 
synchronize  a  source  and  destination  at 
block  level  in  as  close  to  real  time  as  the 
network  and  processing  capabilities  will 
allow.  This  feature  is  called  SyncDR  and 
relies  on  the  Unix  Secure  Shell,  SSH  and 
rsync  utilities. 

We  discussed  SSH  in  this  column  some 
time  ago  (see  “Secure  communications 
with  SSH,”  www.nwfusion.com,  DocFinder: 
6338),  but  rsync  is  a  new  topic  for  us. 

According  to  the  rsync  home  page  (Doc- 
Finder:  6339), “rsync  is  an  open  source  util¬ 


ity  that  provides  fast  incremental  file  trans¬ 
fer!’  To  put  a  little  more  meat  on  those 
bones,  rsync  implements  a  remote-update 
protocol  that  allows  for  the  transfer  across 
a  network  connection  of  just  the  differ¬ 
ences  between  two  sets  of  files  using  an 
efficient  checksum-search  algorithm. 

While  rsync  can  be  used  locally  to  make 
file  copies  on  the  local  machine,  its  value 
lies  in  copying  to  and  from  remote 
machines.  In  this  role,  rsync  simply  can  list 
the  files  on  a  remote  machine  or,  more  use¬ 
fully  copy  files  in  either  direction  between 
the  local  machine  and  a  remote  machine 
using  a  remote  shell  (such  as  SSH)  at  both 
ends,  an  rsync  server  at  both  ends,  or 
a  remote  shell  at  one  end  and  an  rsync 
server  at  the  other. 

You  can  run  rsync  on  Windows  but  you 
first  need  to  install  the  Cygwin  system  that 
we  discussed  in  Gearhead  some  time  ago 
(DocFinder:  6340).  And  even  then  you 
won’t  be  happy  as  we  are  told  that  rsync  on 
Cygwin  will  choke  on  files  larger  than  2G 
bytes.  Well,  darn. 

We’ll  wrap  this  up  next  week.  Meanwhile, 
we  're  waiting  to  hear  from  you  at  gearhead 
@gibbs.com.  And  have  you  checked 
Gearblog  this  week  (DocFinder:  6341)?  If 
not,  why  not? 


Cool 

Quick  takes 
on  high-tech  toys 

By  Keith  Shaw 


CTIA  highlights  more  than  cell  phones 


Here’s  a  quick  look  at  some  of  the 
highlights  from  last  week’s  CTIA 
Wireless  2005  show  in  New 
Orleans,  where  the  cell  phone  industry 
trots  out  the  latest  cell  phones  and  other 
handheld  devices  that  aim  to  ooh  and 
ahh  us  through  the  spring  and  early 
summer. 


With  LG's  VX8100  you  can  view 
on-demand  video  clips. 


LG  showed  off  its  VX8100,  succes¬ 
sor  to  the  VX8000  phone  current¬ 
ly  being  sold  by  Verizon  Wireless 
that  works  on  the  Code  Division  Multiple 
Access  Evolution-Data  Optimized  network  and 
has  the  ability  to  view  on-demand  video  clips.The 
VX8100  phone  has  all  the  features  of  the  VX8000 
(including  a  1. 3-megapixel  camera  with  a  flash 
and  a  camcorder  that  can  record  up  to  15  sec¬ 
onds  of  video)  with  the  addition  of  Bluetooth 
connectivity  and  a  mini-Secure  Digital  mem¬ 
ory  card  slot  for  additional  storage.  LG  and 
Sprint  also  announced  the  MM-535,a  phone 
with  a  slider  design  that  also  includes  a  1.3- 
megapixel  digital  camera,  mini-SD  card 
slot, speakerphone  and  3-D  sound  capabil¬ 


ities.  Pricing  and  availability  of  the  phones  was  not 
announced. 

There  are  always  accessory-related 
announcements  at  the  show,  and  Bluetooth 
headsets  are  always  in  abundance.  Plantronics 
showed  off  two  new  headsets,  a  premium 
model  code-named  Tahiti  features  an  entry- 
level  headset  (code-named  Tonga)  that  has  up 
to  nine  hours  of  talk  time  and  has  an  easier 
way  to  answer  and  end  phone  calls,  and  adjust 
the  volume  (instead  of  multiple  buttons,  users 
press  one  button  to  answer/end  calls  or  move  it  for¬ 
ward  or  backward  to  adjust  the  volume).  Plantronics 
officials  say  the  Tonga  headset  will  cost  around  $50,  mak¬ 
ing  it  affordable  for  first-time  Bluetooth  headset  users. 
Pricing  for  premium  models  usually  ranges  from  $70  up 
to  $150. 

Sometimes  you  don’t  need  a  cell  phone-related  product 
to  make  a  splash  at  the  show.  GN  Netcom  was  showing  off 
its  GN  9350,  a  wireless  headset  that  connects  to  a  tradi¬ 
tional  desktop  phone  and  can  be  connected  to 
VoIP  applications  through  an  integrated  USB 
adapter.  With  the  click  of  a  button  on  the  wire¬ 
less  headset,  users  can  switch  from  their  office 
phones  to  VoIP  soft  phone  applications  and 
answer  different  calls.  The  company  wasn’t  say¬ 
ing  what  wireless  technology  it  was  using,  but  said 
it  wasn’t  Bluetooth  because  it  wants  to  achieve  a 
range  of  up  to  450  feet  in  an  office  environment. 
The  9350  also  includes  digital  signal  processing 
technology  that  is  designed  to  help  enhance  and 


LG  and  Sprint's  MM-535  phone  features  a  slider  design, 
digital  camera,  3-D  sound  capabilities  and  more. 


Plantronics'  Tahiti  headset  is  an  entry-level 
Bluetooth  hands-free  device. 


clean  up  the  incoming  signal  to  help 
improve  call  sound  quality, 
GN  Netcom  says.  For 
example,  the  headset  can 
monitor  and  adjust  the 
signal  volume  on  each 
call  (whether  it  comes 
from  a  VoIP  connection  or  a 
regular  analog  call)  so  that  users  hear  every  call  at  the 
same  level.  It  also  features  an  extendable  boom  arm  and 
noise-canceling  microphone,  so  it  can  adjust  to  the  shape 
of  a  user’s  face  more  comfortably  The  device  is  sched¬ 
uled  to  be  available  in  the  fall.  Pricing  was  not 
announced. 

The  product  1  got  most  excited  about  had  no  cell  phone 
network  attached  to  it.  Research  In  Motion  showed  a  pro¬ 
totype  of  its  upcoming  7270  handheld,  which  uses  a  Wi-Fi 
connection  to  provide  users  with  the  same  wireless 
e-mail  capability  they  get  through  a  wide-area  connec¬ 
tion.  While  some  users  might  scoff  at  having  a  Wi-Fi-only 
connection,  this  device  should  be  interesting  to  corpora¬ 
tions  that  have  a  Wi-Fi  network  on  their  campuses.  They 
can  have  a  device  that  lets  roaming  employees  (not  road 
warriors  but  those  who  wander  from  their  desks)  keep  up- 
to-date  on  their  e-mail  and  a  VoIP  application  that  lets 
them  make  and  receive  phone  calls  as  if  they  had  never 
left  their  desks.  More  details  are  promised  later  this  spring. 


Shaw  can  be  reached  at  kshaw@nww.com. 
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F******  SU  Is  Layer  5  the  best  place  to 

ImGGvTT  attac*<  WAN  optimization? 


Two  vendors  debate  the  pros  and  cons  of  handling  optimization  at  the  session  layer. 


Yes,  by  Andrew  Foss, 
Swan  Labs 


No,  by  Jef  Graham, 
Peribit  Networks 


s  companies  become  more  distributed  and  remote  workers  using  bandwidth¬ 
intensive  applications  over  the  WAN  more  numerous,  the  need  for  better  WAN 
optimization  and  application  acceleration  techniques  has  become  glaringly 
apparent.  Most  approaches  to  solving  this  problem  focus  on  either  Layer  3  (the 
network  layer)  or  Layer  7  (the  applications  layer)  of  the  Open  Systems  Inter¬ 
connection  model.  However,  by  combining  the  best  of  both  of  these  approaches  and  then 
managing  traffic  sessions  at  Layer  5  (the  session  layer), application  performance  and  WAN 
optimization  can  reach  an  entirely  new  level. 

Technologies  aiming  to  solve  the  bandwidth  problem  at  Layer  3  accelerate  all  traffic 
over  the  WAN  by  reducing  the  duplication  of  data  in  the  datastream  as  it  enters  the  WAN. 
These  technologies  have  two  key  shortcomings;  First,  they  require  significant  processing 
resources  and,  in  some  cases, actually  can  slow  down  traffic. Second, Layer  3  technologies 
are  not  aware  of  the  functions  of  the  applications  merged  into  the  datastream,  so  they  are 
unable  to  speed  up  traffic  for  any  specific  application. 

Other  technologies  focus  solely  on  accelerating  the  performance  of  individual  appli¬ 
cations  by  compressing  data  and  streamlining  protocols  at  Layer  7.  However,  because 
these  “accelerated”  applications  are  mixed  in  with  uncompressed  WAN  traffic,  it  is 
impossible  to  guarantee  that  the  compressed  application  consistently  will  perform  as 
required.  Also,  application-layer  technologies  only  increase  the  performance  of  a  sin¬ 
gle  application  —  they  suffer  a  dramatic  performance  drop-off  when  working  with  two 
or  more  applications,  as  they  tend  to  favor  the  application  for  which  they  were 
designed. 

Combining  WAN  optimization  and  application  acceleration  by  managing  traffic  at  Layer 
5  provides  the  ability  to  examine  application  datastreams  before  they  merge,  which  finds 
and  removes  more  redundancies  than  Layer  3  methods.  This  eliminates  data  transfer 
redundancy  by  grouping  data  by  session  and  sending  only  once,  which  reduces  the  num¬ 
ber  of  data  roundtrips  over  the  WAN. 

By  looking  at  all  application  datastreams  and  automatically  determining  which  streams 
can  benefit  from  compression  and  protocol  optimization, WAN  optimization  technologies 
that  operate  at  Layer  5  also  can  accelerate  more  traffic  types  than  Layer  7  tech- 


he  notion  that  WAN  optimization  is  best  attacked  at  a  single  layer  of  the  Open 
Systems  Interconnection  model  —  Layer  5,  the  session  layer  —  is  intriguing. 
However,  reality  suggests  otherwise. WAN  performance  is  affected  by  many  fac¬ 
tors,  each  of  which  has  unique  characteristics  that  must  be  addressed  at  differ¬ 
ent  OS1  layers  to  have  the  greatest  possible  impact.  Approaching  the  problem 
at  too  low  or  too  high  a  level  produces  sub-optimal  results. 

For  WAN  optimization,  problems  should  be  resolved  at  the  lowest  possible  layer  to 
achieve  the  broadest  applicability  across  the  greatest  number  of  applications  with  the 
least  amount  of  complexity  Consider  the  two  most  pressing  issues  affecting  WAN  perfor¬ 
mance  today:  bandwidth  and  latency 

Solving  the  bandwidth  problem  requires  reducing  the  amount  of  traffic  crossing  WAN 
links  to  free  up  additional  capacity  The  key  to  reducing  WAN  traffic  is  pattern  matching  — 
preventing  redundant  data  from  consuming  valuable  bandwidth  by  sending  it  once,  then 
replacing  repetitious  transmissions  with  a  tag  or  label. 

For  pattern-matching  to  be  effective,  WAN  optimization  products  must  look  across  multi¬ 
ple  sessions  and  users  to  identify  and  remove  the  greatest  number  of  repeated  data  pat¬ 
terns.  While  pattern-matching  at  Layer  5  will  identify  redundant  patterns  within  a  single  ses¬ 
sion,  it  will  miss  repeated  patterns  across  different  sessions. 

For  maximum  effectiveness,  pattern-matching  is  best  performed  at  Layer  3,  the  network 
layer,  where  algorithms  can  be  applied  that  recognize  patterns  of  any  size,  across  multiple 
sessions  and  applications  —  including  User  Datagram  Protocol  (UDP)-based  applications 
such  as  VoIP  By  optimizing  at  a  lower,  protocol-independent  layer,  pattern  matching  has 
the  greatest  possible  impact  across  the  widest  range  of  WAN  traffic  while  being  com¬ 
pletely  transparent  to  existing  network  devices  and  servers. 

When  it  comes  to  latencythere  are  two  issues  to  address,  both  of  which  require  different 
approaches  at  different  OS1  layers.  First,  latency  affects  the  performance  of  TCP-based 
applications  at  Layer  4,  the  transport  layer.  Because  TCP  restricts  the  amount  of  data  sent 
across  the  WAN,  traditional  approaches  aren’t  always  sufficient  to  improve  performance. 
The  ideal  solution  must  seamlessly  replace  TCP  at  Layer  4  with  a  more  efficient  protocol 
designed  specifically  to  deal  with  latency  and  accelerate  TCP-based  applications. 


nologies.And  by  reusing  the  compression  dictionaries,  technologies  that  oper¬ 
ate  at  Layer  5  greatly  reduce  the  number  of  needed  updates.This  optimizes  the 
WAN  connection  for  ROI  while  guaranteeing  the  behavior  of  networked 
applications  under  a  variety  of  WAN  conditions. 

The  volume  of  enterprise  WAN  traffic  continues  to  grow  as  applications 
become  ever  more  sophisticated,  and  the  old  rules  can  no  longer  handle  this  new, 
speedier  data  flow.  By  converging  application  acceleration  with  WAN  optimiza¬ 
tion  and  managing  it  at  Layer  5,  WAN  optimization  products  let  appli-  More  online! 

cations  used  over  the  WAN  experience  true,  LAN-like  performance.  Log  on  to  Network  World  Fusion  to  voice  your  opinion. 


WAN  latency  impacts  “chatty”  applications,  which  require  hundreds  or  even 
thousands  of  time-consuming  round  trips  between  the  client  and  server  to 
complete  a  transmission.These  applications  require  protocol-specific  accei 
eration  to  minimize  chattiness  and  speed  up  performance  across  the  WAN. 
This  is  best  addressed  at  the  top  of  the  OSI  stack  —  Layer  7,  the  application  lav.  :'. 
Clearly,  no  single  OSI  layer  offers  a  magic  tonic  for  WAN  optimization  An 
approach  that  provides  broad  coverage  with  the  least  amount  of  overlap  is  a 
much  better  strategy 


Foss  is  CEO  of  Swan  Labs,  an  enterprise  application  company.  He 
can  be  reached  at  afoss@swanlabs.com. 


Face-off  authors  Jef  Graham  and  Andrew  Foss  > 
add  their  thoughts  to  the  discussion. 

DocFinder:  6328 


Graham  is  president  and  CEO  of  Peribit,  a  vendor  of  WAN  app1  Lo¬ 
tion  performance  products.  He  can  be  reached  at  jgraham@pen 
bit.com. 
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ON  TECHNOLOGY 

John  Dix 

Keep  this 
survey for 
Mure  use 

Companies  upgrade  their  Ethernet  switching  infra¬ 
structure  every  four  years  because,  in  descending 
order  of  priority,  the  gear  is  near  the  end  of  its  useful 
life,  bandwidth  is  running  out  or  they  require  new  features. 

Those  are  some  of  the  conclusions  found  in  a 
Goldman  Sachs  bulletin  released  this  month  that  is 
based  on  a  survey  of  100  network  managers  in  Fortune 
1000  companies. 

Unlike  PCs,  where  purchasing  cycles  are  more  obvious 
because  of  processor  advances,  it  has  been  hard  to  gauge 
LAN  upgrade  cycles.  Goldman  Sachs  says  its  survey 
“showed  evidence  that  enterprise  switching  equipment 
has  a  rolling  upgrade  cycle  centered  on  a  four-year  equip¬ 
ment  life.” 

And  most  of  the  companies  surveyed,  46%, said  end-of- 
life  replacement  is  what  drives  their  Ethernet  upgrade  deci¬ 
sions.  Another  28%  said  they  trade  up  because  they  need 
more  bandwidth  for  things  such  as  VoIP  and  multimedia 
and  collaboration  applications. 

A  smaller  percentage,  19%,  said  they  are  driven  to 
upgrade  by  the  need  for  new  features.  More  than  half  of 
the  users  in  this  camp  say  they  are  upgrading  to  enhance 
security.  Of  the  others  looking  for  new  features,  19%  cited 
VoIP  as  the  driver,  another  19%  said  they  wanted  to  add 
support  for  wireless  LANs,  and  10%  said  they  needed 
Fbwer  over  Ethernet. 

The  survey  also  drilled  down  into  enterprise  VoIP  plans. 
Only  29%  of  respondents  who  said  they  are  deploying  VoIP 
are  doing  so  across  their  organizations,  while  the  rest  are 
implementing  it  in  certain  locations  (23%)  or  in  limited 
pilot  groups  (28%). 

“The  survey  indicates  that  enterprise  VoIP  deployment  in 
2005  has  momentum,  but  a  significant  portion  of  the  2005 
deployments  may  be  tactical  rather  than  strategic,” 
Goldman  Sachs  concludes. 

For  those  ready  to  make  the  VoIP  plunge,  the  survey 
shows  Cisco  is  the  partner  of  choice.  Of  the  respondents 
who  said  they  are  planning  to  deploy  VoIP  equipment  in 
2005,43%  have  Nortel  PBXs  today  and  38%  have  Avaya 
gear. The  VoIP  equipment  they  are  most  likely  to  migrate  to? 
Cisco  got  58%  of  the  votes,  17%  said  they  will  use  Avaya, 
and  13%  will  install  Nortel. 

Goldman  Sachs  inquired  about  interest  in  IP  Centrex 
and  found  that  more  than  a  quarter  of  the  respondents 
“will  use  VoiP  services  in  some  locations,  our  own  equip¬ 
ment  in  others.” 

While  the  findings  about  upgrade  cycles  essentially  verify 
what  most  people  could  have  guessed,  having  a  reputable 
third  party  put  it  in  writing  might  prove  useful  in  future  pro¬ 
ject  justifications. 

—  John  Dix 
Editor  in  chief 
jdix@nww.com 


Sarbox’s  precedents 

Regarding  Johna  Till  Johnson’s  column,  “Hate 
Sarbox?  Blame  Bernie  Ebbers”  (www.nwfusion.com, 
DocFinder:  6327):The  blame  goes  a  lot  further  back. 
In  his  book  Take  On  the  Street,  Arthur  Levitt,  who  was 
chairman  of  the  Securities  and  Exchange  Commis¬ 
sion  in  the  1990s,  writes  that  the  SEC  knew  there 
were  loopholes  in  the  law  and  wanted  to  close 
them,  but  corporations,  accounting  firms  and  invest¬ 
ment  bankers  lobbied  Congress  to  stop  them.  Also, 
remember  when  President  George  W  Bush  said  the 
accounting  scandals  were  only  the  result  of  “a  few 
bad  apples”?  Then  when  the  WorldCom  bankruptcy 
happened,  he  suddenly  changed  course  and 
approved  Sarbox. 

If  the  politicians  had  been  doing  what  they  were 
supposed  to,  then  accounting  laws  would  have  been 
tightened  up  in  the  1990s  instead  of  going  way  over¬ 
board  when  the  public  finally  forced  changes. 

Les  Brunswick 
DeKalb,  Ill. 

Everything  for  nothing 

Regarding  “Shake-up  in  telecom  has  users  on  edge” 
(DocFinder:  6329):  I  have  been  in  the  telecom  indus¬ 
try  for  more  than  35  years.  I  was  on  the  access/carri- 
er  side  for  29  years  and  on  the  customer  side  for  six. 

It  seems  that  corporations  want  everything  for 
nothing. The  push  to  drive  down  telecom  prices  has 
led  to  cutthroat  behavior,  poor  business  practices 
and  situations  like  WorldCom.  Whenever  I  hear  man¬ 
agers  say  they  want  lower  prices,  I  want  to  say  “The 
telcos  have  to  make  a  profit  to  stay  in  business  and 
deliver  world-class  products  and  services!” 

Competition  is  good,  but  everyone  has  lost  their 
senses  in  the  greed  for  cost  savings  and  winning 
business  no  matter  the  consequences.  Perhaps  buy¬ 
ers  will  realize  they  can’t  just  count  on  cutting  costs 

E-mail  letters  to  jdix@nww.com  or  send  them  to  John  Dix,  editor  in 
chief,  Network  World,  1 18  Turnpike  Road,  Southborough,  MA  01 772. 
Please  include  phone  number  and  address  for  verification. 
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by  driving  their  suppliers  to  the  brink  of  disaster. 
Granted,  there  has  been  poor  management  on  the 
telco  side  and  poor  decisions  made  in  an  attempt  to 
be  “everything”  to  the  greedy  buyer.  Let’s  hope  for  a 
win-win  environment. 

Sandra  Mikesell 
Dayton,  Ohio 

MCI  is  responsible 

In  his  column‘AT&T:What  went  wrong?”  (DocFinder 
6330), Thomas  Nolle  doesn’t  mention  that  AT&T  was 
forced  into  making  the  decision  to  spin  off  AT&T 
Broadband  because  Bernie  Ebbers  and  MCI  lied.  If 
MCI  hadn’t  fudged  its  numbers,  Wall  Street  would 
not  have  hammered  AT&T’s  stock  or  projected  that  it 
couldn’t  generate  enough  cash  to  sustain  AT&T 
Broadband.  AT&T  Broadband’s  sell-off  didn’t  just 
suddenly  happen  because  of  a  bad  decision  to 
“focus  on  AT&T’s  core  business”  —  it  happened 
because  of  the  fraud  committed  by  WorldCom.  I 
think  it’s  important  to  make  clear  that  WorldCom  is 
largely  responsible  for  the  shambles  the  entire  tele¬ 
com  industry  is  in,  as  well  as  for  AT&T’s  state  today 

Mahadeva  Mani 
Herndon, Va. 

Nolle  replies:  WorldCom 's  behavior  had  a  wide 
impact  on  the  industry,  but  I  can 't  assign  it  the  blame 
on  this  one.  I  don 't  think  AT&  Ts  stock  was  hammered 
in  comparison  with  MCI's;  it  was  hammered  because 
the  numbers  weren 't  there.  Had  MCI  told  the  truth, 
theyd  both  have  been  hammered. 

In  a  way,  Wall  Street  was  responsible  for 
WorldCom.  Had  the  Street  not  hyped  the  value  of 
“ Internet  revenue" and  encouraged  everyone  to  shift 
costs  and  revenues  to  make  it  look  like  they  had 
more,  the  early  distortions  of  MCI’s  numbers  might 
never  have  happened,  and  accounting  issues  were 
probably  covering  up  the  aftermath  of  this.  It’s  a  com¬ 
plicated  industry,  and  honesty  everywhere  is  the  only 
right  answer. 
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THROUGH  CHANNELS 

Ken  Presti 

The  speech  was  truly  unique  in  that  the 
“spin”  was  the  apparent  absence  of 
“spin.”  Clent  Richardson,  the  executive 
in  charge  of  rebuilding  Nortel’s  once  power¬ 
ful  brand,  last  month  stood  in  front  of  rough¬ 
ly  200  sales  channel  partners  and  openly 
acknowledged  the  sins  of  the  past.  Not  a 
quick,  “mistakes  were  made”  statement  followed  by  30  PowerPoint 
slides  on  a  new  strategy,  but  a  lengthy  deep  and  even  heartfelt  dis¬ 
cussion  about  past  leadership,  integrity  transparency  and  a  lost  focus 
on  the  customer. 

The  partners,  who  earlier  had  listened  passively,  occasionally  play¬ 
ing  with  their  PDAs,  now  sat  bolt  upright  in  rapt  attention.  This  was 
much  closer  to  the  core  than  anyone  had  expected.  By  the  end  of 
the  speech,  the  room  had  a  sense  of  common  cause  usually  found 
at  12-step  programs. 

“I  thought  we  were  going  to  hear  a  lot  more  excuses,”  said  one 
value-added  reseller.  “But  that  speech  got  my  attention.  Maybe 
they’re  really  serious  this  time.” 

If  you’ve  never  heard  of  Clent  Richardson  before  —  and  yes,  I 
spelled  his  name  correctly  —  you’ll  hear  a  lot  more  about  him  soon. 
Billed  as  a  turnaround  expert  previously  at  Apple  and  T-Mobile, 
Richardson  was  named  Nortel’s  chief  marketing  officer  last 
September,  inheriting  the  uphill  task  of  rebuilding  the  beleaguered 
company’s  brand  strength.  In  his  speech,  Richardson  addressed 
Nortel’s  woes  head-on  and  with  occasional  wit. 

“By  being  candid,  you  let  people  know  that  you  acknowledge  the 


Nortel's  turnaround  chief  takes  alii 


problems,  know  what  you’ve  got  to  do  and  intend  to  go  do  it,” 
Richardson  explained  in  a  later  interview.  “It  wasn’t  risky  at  all.  I 
think  it’s  just  hot  air  when  people  try  to  explain  away  what  they  did.” 

Much  of  the  actual  turnaround  strategy  is  about  reaching  out  to 
end  users  and  building  demand  for  the  company’s  voice  and  data 
products.  With  additional  customers  in  the  fold,  more  channel  part¬ 
ners  would  help  meet  the  demand  and  make  a  few  dollars  along 
the  way.  But  Nortel  has  a  lot  of  ground  to  cover  —  and  a  lot  of  deci¬ 
sions  to  make  —  before  any  such  success  can  be  measured. 

One  key  component  to  any  effective  turnaround  strategy  is  to 
make  tough  decisions  and  “not  get  overwhelmed  with  consensus,” 
Richardson  explained. “We  need  to  live  by  the  sword  and  die  by  the 
sword,  and  I’m  OK  with  that.  I  can’t  allow  it  to  stop  me  from  making 
decisions.  We’ve  seen  a  lot  of  that  problem  in  corporate  America. 
How  many  leaders  really  make  a  decision,  as  opposed  to  collecting 
consensus  and  looking  for  agreement?” 

An  expanded  management  team  is  now  in  place  to  help  with 
those  decisions.  Nortel  recently  named  Gary  Daichendt,  a  former 
Cisco  executive,  as  president  and  COO,  reporting  to  CEO  Bill  Owens. 
The  new  management  team  plans  to  build  a  more  marketing-driven 
company. 

Whether  Nortel  will  be  able  to  return  to  its  previous  market  stature 
remains  to  be  seen.  But  either  way,  look  for  bold  moves  reflecting 
the  intent  to  live  or  die  by  the  sword. 


If  you've  never 
heard  of  Clent 
Richardson 
before . . .  you’ll 
hear  a  lot  more 
about  him  soon. 


Presti  is  research  director  of  IDC’s  Network  Channels  and  Alliances 
service.  He  can  be  reached  at  kpresti@idc.com. 


REALITY  CHECK 

Thomas  Nolle 

Last  month,  the  FCC  hosted  a  “summit” 
on  a  topic  that  touches  everyone  yet 
is  almost  unrecognized:  the  Telecom¬ 
munications  Service  Priority  program.  The 
TSP  is  the  communications  heart  of  U.S.  plans 
for  emergency  preparedness,  mandated  by 
law  and  implemented  on  the  public  switched 
telephone  network  ...and  we  don’t  know  for  sure  that  VoIP  can  support 
it.  Which  begs  the  question, “What  else  don’t  we  know  about  VoIP?” 

In  late  2003,  the  government  issued  a  request  for  information  (RFI)  to 
explore  the  impact  of  IP  convergence  on  TSP  It  had  two  primary  issues 
to  consider.  First,  are  there  new  forms  of  communications,  enabled  via 
IP  and  adopted  widely  by  industry  and  the  government,  which  must 
now  be  considered  for  priority  treatment?  Second,  will  TSP’s  treatment 
of  voice  calls  and  leased  services  work  in  converged  networks? 

The  answer  to  the  first  question  seems  to  be  yes.  E-mail,  instant  mes¬ 
saging  and  online  collaboration  are  tools  at  least  as  valuable  as  voice 
services  and  thus  should  be  included  in  any  priority  program.The  prob¬ 
lem  is  that  there  are  thousands  of  e-mail  systems  and  dozens  of  IM  and 
collaboration  systems.There  is  one  PSTN.  It  was  possible  to  create  a  uni¬ 
fied  TSP  plan  for  the  single  PSTN,  but  how  practical  would  it  be  to  even 
attempt  that  for  the  plethora  of  new-age  IP  communications  options? 

The  RFI’s  requirements  seem  to  answer  the  second  question.They  talk 
about  security  non-traceability  restorability  and  other  things  that  the 
Internet  has  not  been  successful  in  providing. 

In  the  PSTN,  services  are  in/of  the  network.  In  IP  they’re  over  the  net¬ 
work.  The  PSTN  acts  as  a  kind  of  harmonizer  of  technology  and  policy 
a  place  where  common  membership  mandates  common  standards, 
and  public  policy  can  be  applied  because  there’s  a  defined  and  small 
group  of  companies  to  apply  it  to. The  IP  world  lets  anyone  create  ser¬ 
vices,  which  increases  flexibility,  but  reduces  the  network’s  ability  to  cre¬ 
ate  harmony  at  the  service  level  and  multiplies  the  number  of  different 
and  possibly  incompatible  solutions. 


What  else  don't  we  know  about  VoIPP 


I’ve  read  the  TSP  documents  and  talked  with  some  of  the  people 
involved.  In  my  view,  voice  over  the  Internet  could  not  meet  TSP 
requirements,  nor  could  current  e-mail  and  IM  systems.  Internet  VPNs 
couldn’t  conform  to  the  priority  reconnection  goals  of  the  program. 
Not  all  “private  IP”  implementations  of  VoIP  (where  the  VoIP  network  is 
partitioned  from  the  Internet)  would  be  much  better  than  the  vanilla 
Internet  at  complying  with  TSP  policies.  So  here  we  are,  with  a  critical 
program  for  priority  communications  at  risk.  Why  did  this  happen? 

First,  regulations  today  are  very  PSTN-centric  because  we  haven’t  had 
any  new  legislation  to  cover  data  networks  and  services.  Even  the  1996 
Telecom  Act  didn’t  do  data.The  FCC  today  is  trying  to  meet  public  pol¬ 
icy  goals  with  laws  that  don’t  reflect  the  new  technology  of  IP 

Second,  the  standards  process  isn’t  cooperating.  The  IETF  has  regu¬ 
larly  declined  to  address  public  policy  issues  in  standards,  including 
Session  Initiation  Protocol  voice.  Part  of  this  is  IETF  politics,  but  part  is 
also  the  fact  that  the  IETF  wants  an  absolute  separation  of  services  and 
networks,  which  makes  it  hard  to  build  something  as  unified  as  the 
PSTN  using  IP 

Third,  carriers  aren’t  disclosing  their  “non-Internet-iP”  plans  or  the 
technology  on  which  they’re  based.  Everything  we  know  about  VoIP 
comes  from  over-the-Internet  players  that  don’t  control  infrastructure 
and  therefore  can’t  meet  TSP  goals. 

Finally  equipment  vendors  aren’t  bringing  TSP  issues  to  the  fore, so  it’s 
not  clear  how  or  if  they  can  support  this  sort  of  program. 

TSP  is  a  U.S.  program,  but  there  is  a  TSP-like  requirement  in  nearly 
every  major  industrial  country  There  are  many  public  policy  goals  that 
converged  networks  may  not  be  meeting.  It’s  disquieting  that  we’ve  got¬ 
ten  this  far  in  the  convergence  debate  without  exposing  all  the  impli¬ 
cations  and  issues.  There  are  probably  others  yet  to  be  exposed,  and 
we’re  running  out  of  time  to  deal  with  them. 


So  here  we  are, 
with  a  critical 
program  for  pri¬ 
ority  communica¬ 
tions  at  risk.  Why 
did  this  happen? 


Nolle  is  president  of  CIMI,  a  technology  assessment  firm  in  Voorhees, 
N.J.  He  can  be  reached  at  (856)  753-0004  or  tnolle@cimicorp.com. 
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Real-time  collaboration  using  presence- based 
tools  is  still  a  few  years  away  for  most  companies. 

PRESENCE  SIMMERS 
ON  RACK  BURNER 


I  BY  MELANIE  TUREK 


By  themselves,  today’s  collaboration  technologies,  such  as  instant  messaging  and  audio,  video  and 
Web  conferencing,  help  make  workers  more  productive.  But  when  combined  with  presence  — 
information  about  where  users  are,  what  applications  or  devices  they’re  using  and  how  to  best 
reach  them  —  those  collaboration  tools  can  become  part  of  a  virtual  workplace  in  which  employ¬ 
ees  can  quickly  get  information  they  need  and  ad  hoc  groups  can  set  up  meetings  on  the  fly 


The  result:  Companies  save  money  boost  productivity  and  stay  agile  in 
a  changing  world. 

It’s  a  great  goal,  but  it’s  still  at  least  three  to  five  years  away  for  most  orga¬ 
nizations.  That’s  one  key  finding  in  a  recent  Nemertes  Research  survey. 
Only  16%  of  the  43  IT  executives  who  responded  said  they  use  presence 
now,  another  26%  plan  to  do  so  in  the  next  six  to  24  months,  but  that 
leaves  42%  with  no  presence  plans  at  all. 

There  are  two  main  reasons  why  companies  are  holding  back.  Many  IT 
executives  don’t  see  the  justification,  in  resource  terms,  for  deploying 
presence;  and  those  that  do  still  are  focused  on  other  real-time  commu¬ 
nications  deployments,  such  as  IM  and  Web  conferencing. 

That  is  expected  to  change  over  time,  but  until  companies  get  a  handle 
on  IM,  conferencing  and  basic  security  issues,  presence  will  remain  on 
the  back  burner  for  most  IT  executives. 

Office  politics 

In  the  meantime,  a  war  is  brewing  as  vendors  come  at  presence  from  a 
variety  of  angles.  Applications  vendors  such  as  Microsoft  and  IBM  Lotus 
view  voice  as  an  add-on  to  their  collaboration  products,  while  IP  tele¬ 
phony  vendors  such  as  Nortel  and  Siemens  see  collaboration  applica¬ 
tions  as  an  add-on  to  their  voice  systems. 

Microsoft’s  Live  Communications  Server  (LCS)  2005  is  designed  to  work 
with  public  IM  services  from  AOL  and  Yahoo,  and  Microsoft’s  own  MSN 
Messenger.  LCS  2005  also  enables  the  integration  of  IM  and  presence 
awareness  in  other  Microsoft  applications,  notably  Office. 

An  MSN  Messenger  user  will  be  able  to  IM  an  AOL  user  from  within 
the  LCS  client  using  Session  Initiation  Protocol  (SIP).  However,  a  user 
won’t  be  able  to  IM  that  AOL  user  from  within  an  Office  application,  at 
least  not  yet. 

Although  many  survey  respondents  purchased  licenses  to  LCS  and  the 
IM  client  (often  as  part  of  a  larger  enterprise  license  agreement),  most 
have  yet  to  deploy  it. 

Those  who  have  installed  LCS  still  are  figuring  out  the  right  strategy  for 
the  future.“We  use  LCS  for  now,  we  have  presence  in  our  Office  applica¬ 
tions,”  says  Alvin  Lim,  general  manager  of  the  Regional  Microsoft  practice 
at  Asia  Datacraft.“It’s  not  yet  embedded  in  back-end  systems.  It’s  a  great 
technology  but  we're  hying  to  figure  out  the  apps  that  apply’ 

Nevertheless,  survey  results  show  that  Microsoft  has  the  largest  user 
base  among  participants:  20%  of  companies  that  have  standardized  on 
an  enterprise  IM  system  use  Microsoft  as  their  vendor,  and  79%  say  they 
use  or  plan  to  use  LCS  for  embedded  presence. 

IBM’s  newest  entry  in  the  real-time  communications  arena  is  Lotus 
Workplace  Team  Collaboration,  which  is  Java  2  Platform  Enterprise 
Edition-based  and  offers  integrated  synchronous  and  asynchronous  col¬ 


laboration,  which  includes  IM,  presence  awareness,  Web  conferencing, 
team  spaces  and  development  tools  for  embedding  presence  in  enter¬ 
prise  applications. 

Lotus  is  developing  a  SIP  infrastructure  for  reuse  across  IBM  software 
products.  IBM  also  has  defined  an  interdomain  specification  for  SIP  for 
Instant  Messaging  and  Presence  Leveraging  Extensions  that  enables 
interoperability  among  SIP-based  IM  offerings.  But  IBM  today  doesn’t 
offer  interoperability  with  other  presence  and  IM  vendors  or  services. 

Just  1 1%  of  companies  that  participated  in  the  survey  use  Lotus  for  IM, 
and  only  7%  who’ve  embedded  presence  in  other  enterprise  applica¬ 
tions  use  Lotus  to  do  so. 

Presence  at  work 

The  value  of  audio,  video  and  Web  conferencing  can  increase  when 
these  services  are  presence-enabled  and/or  integrated  with  a  company’s 
IM  system.  Click-to-meet  capabilities  let  users  meet  on  the  fly  whenever 
and  wherever  they  need  to.  Presence  ensures  all  participants  are,  in  fact, 
available  for  the  meeting. 

Some  conferencing  products  let  hosts 
schedule  meetings  to  start  as  soon  as  partici¬ 
pants  are  available,  tapping  into  their  online 
presence,  their  phone  presence  and  their  cal¬ 
endar  presence.  This  can  replace  hours  of 
coordination  time  and  ensure  meetings  get 
done  as  soon  as  possible,  which  saves  project 
time,  as  well. 

“We  love  being  able  to  jump  from  IM  to 
audio  or  Web  conferencing.  We  find  that  that’s 
a  very  interesting  phenomenon.  Multi-party 
chats  can  escalate  to  voice  conferencing,  and 
they  tend  to  do  that.  We’re  connected  via  the 
IP  network,  so  there’s  no  cost,”  Lim  adds. 

Convoq’s  ASAP  is  essentially  a  presence- 
enabled  Web  conferencing  too!  built  on 
Macromedia’s  Flash  technology.  The  eDial 
Instant  Collaboration  System  provides  enter¬ 
prise-grade,  secure  IM,  enhanced  with  pres¬ 
ence,  calling,  and  audio  and  Web  conferenc¬ 
ing  from  a  user’s  standard  Internet  browser. 

Meanwhile,  many  enterprise  IM  vendors  are  positioning  themselves  as 
presence  vendors.  Bantu,  an  enterprise  IM  product,  integrates  with 
WebEx  Communications  and  Microsoft’s  Office  Live  Meeting,  so  users 
can  launch  a  conference  from  within  a  Bantu  instant  message.They  also 
can  call  someone  simply  by  clicking  on  an  audio  link  —  and  in  both 


Menu  bar 
Initiate  meetings, 
activities 
List  of  invitees 


The  video  image 
you're  sending 

The  video  image 
of  the  person 
who  currently 
holds  the  podium 

Microphone  level 

Audio  and  video  settings 

Mute/unmute  the  audio 


Chat  history 


Chat  status  bar 


Text  color,  bold  Italic,  font 
Type  chat  text  here 

We  love  being  able  to  jump  from 
IM  to  audio  or  Web  conferencing. 
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Microsoft  practice,  at  Asia  Datacraft 


3/21/05 !  NetworkWorld 


Display  name,  status  and  custom  message 


Navigating  the 
digital  dashboard 


•  ASAP 

□0 

1  File  View  Actions  Tools  Help 

l 

With  presence- 
enabled  applications, 
users  can  set  up 
meetings,  send 
e-mail,  and  launch  a 
video  conference  or 
voice  conference. 

A  digital  dashboard 
lists  contacts  and 
provides  information 
on  their  availability. 


Menu  bar 

Alerts/ 
pending  bar 

View  and 
add  menus 


Tom  Jefferson  -  Available  ^  (Working  on  a  Declaration) 


1  New  Action  item 


-  -^Ti View:  Contacts  ^Addy) 


Contact  list 


13  Coworkers  (3) 

13  Documentation  (2) 

El  Engineering  (6/9) 

El  Documentation  (2) 

yf  Jim  Madison 
yt  O  Henry 
■'y'  Ada  Babbige 
y  Grace  Hopper 

yt  Jim  Carter 
Jim  Monroe 

Mark  Twain 


3  years 


cases  presence  works  to  let  users  know  the  person 
or  people  they  need  to  meet  with  are  available. 

All  the  major  IM  gateway  vendors  —  Akonix, 
FaceTime  and  IMlogic  —  offer  presence-integration 
tools  that  let  IT  executives  build  presence  into  the 
applications  of  their  choice. 

Digital  dashboard  of  the  Mure 

The  future  of  the  workplace  is  changing  —  and 
real-time  communications  dashboards  will  have  a 
lot  to  do  with  shaping  how  the  desktop  of  tomor¬ 
row  looks.  Think  of  these  dashboards  as  soft 
phones  on  steroids. 

Some  traditional  networking  vendors,  including 
Avaya,  Nortel  and  Siemens,  developed  software 
designed  to  use  IP  networks  and  offer  presence, 
conferencing,  and  integrated  voice  and  data  for 

total  communications  convergence. 

Only  7%  of  companies  report  using  real-time 
communications  dashboards  today  But  anoth¬ 
er  40%  plan  to  do  so  in  the  next  two  years.  And 
vendors  are  stepping  up  to  offer  products: 

•  The  3Com  Convergence  Applications  Suite 
incorporates  the  3Com  IP  Messaging  module 
for  unified  messaging  functionality  such  as 
“read-me  e-mail”  and  “find-me/follow-me”  services; 


the  3Com  IP  Conferencing  module  for  audio  con¬ 
ferencing,  video  conferencing,  data  conferencing 
and  presence  management  services;  and  3Com’s 
IP  telephony  products. 

•  Avaya’s  Converged  Communications  Server 
works  with  the  vendor’s  IP  telephony  software, 
Communication  Manager;  supports  presence;  and 
integrates  IM  and  telephony  via  a  single  buddy  list; 
users  can  click  to  launch  a  call  from  within  IM. 

Avaya  supports  six-way  meet-me  conferencing, 
and  it  recently  acquired  Spectel  for  audio  confer¬ 
encing  (the  next  release  will  support  click-to-con¬ 
ferencing  capabilities). The  company’s  video  con¬ 
ferencing  telephony  desktop  solution  integrates 
the  vendor’s  soft  phone  with  the  Polycom  desktop 
solution. 

•  Nortel’s  Multimedia  Communication  Server 
5100  drives  VoIP  networks,  and  delivers  multimedia 
and  collaborative  applications  to  the  enterprise  on 
an  open  platform  that  supports  industry-standard 
protocols,  including  SIP  and  H.323.  Capabilities 
include  mobility,  collaboration,  presence,  messag¬ 
ing  and  video  services. 

Collaborative  applications  include  videoconfer¬ 
encing,  audio  and  video  streaming,  white-board¬ 
ing,  file  exchange  and  IM.  Telephony  services  in¬ 
clude  call  redirect  and  call  forwarding,  conferenc¬ 
ing,  call  hold  and  waiting,  multiple  server  registra¬ 
tion,  and  real-time  call  management. 

•  Siemens’  OpenScape  lets  workers  see  their  col¬ 
leagues’  availability  across  an  IP  network  and  lets 
users  prioritize  and  control  who  can  reach  them, 
where,  and  when.  One-click  access  to  WebEx  Web 
conferencing  makes  it  easy  for  people  to  jump  into 
a  meeting  as  soon  as  they’re  all  available.  Open- 
Scape  operates  on  Windows  Server  2003  and  en¬ 
hances  Microsoft  e-mail  and  Windows  Messenger, 
and  voice  and  wireless  communications.  But  its 
open  nature  lets  it  integrate  with  other  enterprise 
applications. 

Contact  centers  lead  the  way 

One  area  leading  the  way  in  the  use  of  real-time 
applications  is  in  the  contact  center.  This  is  hap¬ 
pening  primarily  on  three  fronts:  Web  chat 
between  agents  and  customers;  IM  use  among 
agents  and  experts  to  quickly  distribute  informa¬ 
tion  and  answer  questions;  and  expert  routing, 
which  sends  calls  to  the  most  appropriate  avail¬ 
able  agent. 

Presence  has  the  potential  to  change  the  way- 
people  work  —  and  how  they  communicate  and 
collaborate  with  one  another.  Change  will  come 
slowly;  the  technology  isn’t  as  mature  as  it  needs  to 
be.The  productivity  gains  are  difficult  to  measure, 
and  the  cultural  adjustments  won’t  come  ease, 
from  end  users, but  companies  that  adopt  the  (re¬ 
tools  will  be  well  positioned  to  support  a  disperse, 
workforce  and  leverage  the  benefits  such  an  cm 
ronment  brings. 

Turek  is  a  principal  research  analyst  at  Newer y  s 
Research.  She  can  be  reached  at  melon r-o 
nemertes.com. 
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Microsoft's  dominant 
browser  is  being  challenged 
by  open  source  upstart 
Mozilla  Firefox,  but  in  our 
testing  neither  browser 
scores  a  knockout  punch. 
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BY  RODNEY  THAYER,  NETWORK  WORLD  LAB  ALLIANCE 


Don’t  go  ripping  out  Microsoft’s  Internet  Explorer  just 
yet. 

It  certainly  has  proven  vulnerable  to  attack  in  the  past,  and  the  con¬ 
stant  patching  to  add  the  latest  security  updates  can  be  a  nuisance. 
CERT  last  year  even  warned  people  to  stop  using  Internet  Explorer. 
And  Mozilla  Foundation’s  Firefox  has  been  getting  a  lot  of  buzz  lately 

—  to  the  tune  of  25  million  downloads  in  less  than  100  days  on  the 
market. 

But  our  testing  of  both  browsers  shows  that  it’s  not  an  easy  decision 

—  particularly  in  an  enterprise  environment.  Internet  Explorer’s  vul¬ 
nerability  to  attack  might  in  part  be  because  it’s  rich  in  features  and 
thereby  presents  a  larger  “attack  surface.”  On  the  other  hand,  Firefox’s 
perceived  edge  in  security  comes  with  a  price  —  fewer  features  and 
possible  inability  to  access  some  Windows-based  Web  applications. 

So  before  you  make  a  decision,  weigh  the  trade-offs.  One  compro¬ 
mise  to  consider  is  using  Internet  Explorer  internally  and  Firefox  for 
pure  Web  browsing. 

Our  hands-on  test  focused  on  security  rather  than  ease  of  use.  Our 
Internet  Explorer  6.0  implementation  ran  on  a  Windows  XP  client  (a 

See  Browser,  page  78 
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is  less  vulnerable  in  this  area  probably  because 
Microsoft  has  put  so  much  work  into  securing 
its  browser  in  response  to  all  of  the  hacker 
activity  targeting  it.  But  theoretically,  because 
they  both  process  essentially  the  same  HTML 
datastream  format,  either  browser  could  be 
attacked  in  that  manner. 

Round  2  Advantage:  Firefox. 

In  the  second  category,  Internet  Explorer 
provic  s  ActiveX,  JavaSc  pt  and  many 
other  mechanism  to  execute  code  delivered 
through  Web  pages  such  as  Visual  Basic  scripts  or 
Active  Server  Page  and  .Net  content.  Because 
there  are  more  ways  to  write  programs  that  are 


delivered  through  the  browser.  Explorer  is  more 
susceptible  to  attacks  in  this  manner,. This  is  the 
downside  of  all  th  sophisticated  featui  tl 
work  in  a  pure  Microsoft  Web  environment 

No  advantage. 
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which,  .independently  of  the 
browser,  can  be  vulnerable  to  attack,  A  recent 
example  is  the  ReatOne  plug-in  vulnerability 
(Www.nwfusi.on.cum.  D  wFindei  n  TM  Wink  the 
vulnerability  was  specifically  found  with  Explorer, 
the  problem  lies  in  the  plug-in  and  there  is  no 
i  soi  i  to  assume  this  sort  of  i  >i 
will  not  happen  someday  with  Firefox. 
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HP  BladeSystem  servers  allow  you  to  integrate  your  systems  with 
ease  for  unexpected  growth  and  unforeseen  business  demands. 
Powered  by  Intel  Xeon™  Processors,  these  innovative  servers 
adapt  to  change  in  a  seamless  modular  fashion,  creating  new 
operational  efficiencies  to  dramatically  upgrade  your  enterprise. 
And  that  changes,  well,  everything. 


Solutions  for  the  adaptive- 


HP  ProLiant  BL30p  server  blades 
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To  read  IDC’s  Adapting  to  Change:  Blade  Systems  Move  into  the  Mainstream,  visit  hp.com/go/biadesmagl9 
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WinBook  Pentium  4  with  512M  bytes  of  RAM)  with 
Service  Pack  2, and  the  latest  Microsoft  updates. With  the 
help  of  VMware  Workstation,  we  installed  Mozilla  Firefox 
1.0.1  on  the  same  system  inside  its  own  virtual  machine. 
This  test  machine  was  connected  to  the  Internet  through 
a  384K  bit/sec  DSL  line. 

We  used  the  browsers  side  by  side  for  a  variety  of  tasks 
such  as  reading  public  Web  sites,  checking  email  with 
Microsoft  Outlook  Web  Access,  and  accessing  our 
Apachebased  Web  server  to  reach  internal  resources 
and  management  tools.  Additionally  we  tried  surfing  to 
known  hacker  Web  sites  to  see  how  the  browsers  would 
behave  when  under  attack. 

Accessing  conventional  Web  sites,  such  as  CNN  or 
Yahoo,  gave  similar  results.They  both  block  pop-ups  and 
offer  a  variety  of  plug-ins  to  support  additional  forms  of 
data  such  as  Macromedia  Flash  or  Adobe  PDF  files. 

However,  the  key  difference  is  that  because  Internet 
Explorer  contains  Windows-related  features  that  are  not 
available  in  Firefox  —  Active  X,  .Net,  Active  Server  Pages 
—  it  is  difficult,  if  not  impossible,  to  use  some  Web-based 
applications  with  Firefox. 

Both  Internet  Explorer  and  Firefox  have  facilities  to  di¬ 
gitally  sign  plug-ins.  However,  the  signature  feature  is  not 
ubiquitously  used,  and  users  are  quite  likely  to  accept 
and  execute  unsigned  and  potentially  dangerous  code. 

This  is  why  you  should  back  up  your  browser  with  an 
intrusion-prevention  system  or  adequate  anti-virus  (ours 
was  running  F-Secure’s  Anti-Virus  Client  Security),  that 
can  detect,  notify  and/or  block  malicious  code  that 
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Microsoft  Internet  Explorer 

PRICE:  Ships  as  part  of  Windows. 

PROS: 

Complex  scripting  allows  sophisticated  delivery  of 
services  over  the  Web. 

Commercial  browser  implementation  available  with 
support  and  maintenance. 

•  Integrates  well  with  Microsoft  and  other  vendors' 
browser/Web  server-based  offerings. 

■  Continued  enhancements  to  security,  recently  exam¬ 
ples' being  delivery  of  XP  Service  Pack  2  and  announce¬ 
ment  of  Internet  Explorer  7. 

'Ei’ibpyption  and  authentication  facilities  available  to 
strongly  cpntro!  browser  access  to  data. 

CONS: 

.  Complex  scripting,  provides  remote  access  to  poorly 
defended)  system  interfaces  that  were  never  designed 
ffif^eflH’sfj'.localeinci/pr  strongly  authenticated  use. 

;-  4n:|oine 'cases,  known-  vulnerabilities  are  not  correct¬ 
ed for edme  time  and  thus  exploits  exist  in  the  wild  for 
which  there  is.  no  browser  update,  An  example  is  the  XP 
SP2  ppp-tip  problem  (go  to  www.nwfusion.com,  Doc- 
Finder:.  6325.  'for  details),  which  was  announced  in 
Pecernb6D:2db4')and  which  still  exists  in  Internet 
Explorer  6  qh  XP  SP2  as  of, early  this  month. 


Rendering  architectural  conclusions 

So  does  Firefox’s  architecture  make  it  fundamentally 
more  secure?  What  we  found  is  that  Firefox  is  not  neces¬ 
sarily  a  more  secure  implementation  of  a  browser.lt  sim¬ 
ply  has  fewer  features  to  attack. 

It  supports  fewer  and  less  complex  scripting  mecha¬ 
nisms  so  it  is  not  as  easy  to  write  powerful,  dangerous 
code  inside  a  Web  page  that  can  attack  it. 

It  is  not  as  tightly  integrated  with  any  particular 
operating  system.  This  means  there  are  fewer  ways 
the  browser  uses  operating  system-specific  features. 
That  means  there  is  less  of  a  chance  for  an  exploit  to 
use  the  browser  as  an  interface  into  the  underlying 
operating  system. 

Also,  the  open  source  nature  of  the  code  sometimes, 
but  not  in  a  guaranteed  manner,  provides  more  peer 
review  of  the  code  and  faster  turnaround  for  fixes  to 
vulnerabilities. 

The  enterprise  game  plan 

It’s  not  realistic  to  think  that  you  can  totally  stop  using 
Internet  Explorer,  especially  if  your  users  must  access 
servers  that  use  the  rich  features  it  supports  over  an  in¬ 
ternal  network  or  through  the  public  Internet. 

Can  you  start  selectively  using  Firefox?  If  you  have  a 
purely  browser-based  environment,  with  standards- 
based  scripting  and  plug-ins,  then  you  can  consider  this. 

Will  it  make  your  environment  perfectly  secure 
against  browser-based  attacks?  No.  Firefox  —  like  other 
browser  alternatives  —  is  not  perfect,  but  the  attack  sur¬ 
face  can  be  reduced  significantly  if  you  use  fewer  com¬ 
plex  features,  such  as  sites  that  deliver  ActiveX  through 
Web  pages. 

If  your  network  comprises  thousands  of  users,  then  this 


Firefox,  Mozilla  Foundatii  n 

PRICE:  Free. 

PROS: 

Standards-based  browser  doesn’t  use  proprietary 
features. 

Popular  open  source  project  is  well  supported  by 
an  active  community,  which  in  some  cases  facili¬ 
tates  faster  repairs. 

Source  code  available  for  review. 

More  encryption  features  (certificate  support  for 
Online  Certificate  Status  Protocol,  more  recent 
SSL/TLS  cipher  suites). 

Simpler  implementation  means  less  attack  sur¬ 
face  and  fewer  paths  into  lightly  defended  local  sys¬ 
tem  interfaces. 

CONS: 

No  commercial  support  available. 

Less  compatibility  with  proprietary,  but  de  facto, 
standard  Web  features  such  as  ActiveX.  No  guaran¬ 
tee  of  open  source  development  team  will  address 
new  vulnerabilities  any  faster  than  a  commercial 
implementation. 


can  be  a  difficult  change  to  execute.  On  the  other  hand, 
it  makes  sense  to  compare  the  cost  of  securing  Internet 
Explorer  with  add-on  client  security  products  or  intru¬ 
sion-prevention  devices  to  the  cost  of  simplifying/stan¬ 
dardizing  your  browser-based  infrastructure. 

What  to  do? 

The  risk  of  a  browser-based  attack  against  an  enterprise 
network  is  significant.  From  a  risk  management  point  of 
view,  it  is  definitely  a  good  idea  to  look  at  browser  alter¬ 
natives  to  Internet  Explorer  purely  based  on  the  sheer 
number  of  clients  running  it.  But  the  environment  might 
not  let  you  remove  it  because  your  shop  might  have 
built  up  access  to  necessary  internal  resources  using 
Microsoft’s  technology  based  on  Internet  Explorer. 

One  possible  solution  would  be  to  mandate  the  use  of 
Firefox  for  external  access  and  reserve  Internet  Explorer 
for  inside-the-enterprise  use.  Fblicy-enforcement  tools 
can  help  implement  this  sort  of  a  mandate. 

Security  measures  external  to  the  browser,  such  as 
application  firewalls,  intrusion-detection  and  prevention 
systems,  and  the  use  of  policy  enforcement  systems  to 
ensure  clients  only  access  trusted  Web  sites,  can  also  be 
considered  to  address  the  browser  risk. 

W 

Thayer  is  a  private  network  security  consultant  in 
Mountain  View,  Calif.  He  can  be  reached  at  rodney@ 
canola-jones.  com. 
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—  Rodney  Thayer 


Wireless  nets: 
Leave  no 
disaster- 
recovery  stone 
unturned 

■  BY  JOANIE  WEXLER 

I’ve  been  discussing  the  use  of  wireless 
network  services  for  disaster-recovery 
applications.  While  redundant  buried 
cables  strung  out  of  the  same  entrance  to 
your  building  can  be  cut  at  the  same  time 
with  devastating  results,  a  backhoe  or  other 
natural  enemy  to  terrestrial  cabling  has  no 
impact  on  airborne  packets. 

However,  if  you’re  really  serious  about 
high  availability  you  should  do  your  home¬ 
work  about  the  design  of  your  carrier’s 
wireless  network  —  just  as  you  would  with 
a  wired  infrastructure,  advises  Matthew 
Liotine,  vice  president  at  BLR  Research,  a 
technology  management  consulting  firm. 

Liotine  notes  that  while  a  cable  cut  in  the 
last-mile  link  to  your  premises  won’t,  affect 
your  wireless  access  network,  the  same 
isn’t  true  about  shared  fiber  connections 
further  down  the  line  —  say  between  wire¬ 
less  base  stations  in  your  mobile  operator’s 
network. 

True,  wireless  is  emerging  for  these  con¬ 
nections  too:  one  of  the  most  popular 
would-be  applications  for  early  WiMAX 
technology,  for  example,  is  for  backhaul 
between  base  stations  or  carrier  points  of 
presence. 

However,  if  you  don’t  know  how  the  car¬ 
rier  network  is  architected, you  might  think 
you’re  secure  when  vulnerabilities  could 
be  close  to  your  doorstep.  It’s  worth  investi¬ 
gating  to  find  the  weak  spots,  Liotine  says. 

“The  point  is  to  seek  out  single  points  of 
failure  and  common, shared  infrastructure, 
regardless  of  what  type  of  service  you  are 
using,”  Liotine  says. 

He  says  if  a  carrier’s  cell  site  sits  on  a 
tower  shared  with  many  others,  and  a 
storm  hits, “lots  of  [wireless]  service  can  be 
wiped  out.” 

Also,  consider  whether  your  service  is 
offered  in  an  unlicensed  or  licensed  fre¬ 
quency  Most  early  WiMAX  services  in  the 
U.S.  will  be  in  the  5.8-GHz  unlicensed 
band;  ask  your  service  provider  about 
potential  interference  issues,  he  says.If  the 
service  is  in  a  licensed  band,  is  it  still  a 
shared  service?  If  so,  is  bandwidth  guaran¬ 
teed  to  be  available  to  you? 

“If  you  have  a  critical  service,  such  as  a 
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daily  download  of  business  receipts,  you 
want  a  dedicated  [wireless]  circuit,”  he  says. 

Also,  be  cautious  of  the  bandwidth  claims 
advertised  by  service  providers. “You  can’t 
go  by  the  typical  average  throughput 
claimed  by  the  carriers”  in  terms  of  backup 
bandwidth  available,  Liotine  says.“You  must 


consider  other  factors  such  as  wireless  fre¬ 
quency  distance  and  modulation  scheme. 
Certain  modulation  schemes  can  pump 
more  bits  per  unit  of  frequency  which  can 
gain  you  some  bandwidth.” 

Companies  should  evaluate  their  wireless 
provider’s  core  network  for  internal  redun¬ 


dancies  and  make  sure  the  provider  shares 
no  common  infrastructure  with  wireline 
providers. 

Wexler  is  an  independent  networking  tech¬ 
nology  writer/editor  in  Silicon  Valley.  She 
can  be  reached  at  joanie@jwexler.com. 


Only  took  you 
2  minutes  to  audit 
the  entire  network? 

Don't  tell  anyone 
or  they'll  find 
something  else 
for  you  to  do! 


AuditWizard  V6  -  Simply  Effective 

No  other  software  makes  auditing  your  network  as  quick  and  easy 
as  AuditWizard™. 

Install,  then  sit  back  and  let  AuditWizard™  do  all  the  complicated  stuff. 
AuditWizard™  will  automatically  discover  all  of  the  PCs  connected  to  your  network 
then  conduct  a  comprehensive  software  and  hardware  audit  of  each  one  -  without 
any  user  intervention  from  you. 

So  when  the  boss  asks  for  that  Software  License  Compliance  Report  -  you're 
good  to  go... 

...if  only  everything  in  life  was  as  simple  to  use  as  AuditWizard™ 

For  more  information  telephone  813  319  1390 
or  email  saies@auditwizard.com 

Download  a  FREE  trial  today!  www.auditwizard.com  Layton" 

Technology 

Al(  company  product  names  where  used  are  trademarks  or  registered  trademarks  of  their  respective  holders.  ©  Copyright  2005  Layton  Technology 


Anti-spam  technology  failing?  Well... 


Meridius  Security  Gateway" 

99%  spam  detection  rate, 

0%  false  positives, 

100%  virus  blockingt 


Call  1.866.895.6931  and  get  a  $5000*  trade-in  credit 


*  Contact  a  BlueCat  Networks  representative  for  promotion  details.  Limited  time  offer.  Promotion  code:  BCN-M105 
t  “Scanning  for  Spam",  Network  Computing  Magazine  Oct.  28,  2004 
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Call  us:  Schedule  your  free  demo  today. 

1.866.895.6931  ,  Visitwww.bluecatnetworks.com/meridius/nww 

■  v  ///  .  /' ;  ./-:  •  /  ■' 

ft V'  "  •  -  *  ’■  •  .  ,  * 

Blu^Cet  NetwprHs,  thflf  BfpeCat.NetwQr^s  logo.  Meridius  Security  Gateway  and  the  Meridius  logo  are  tiademarks  of  BlueCat  Networks.  Inc. 

A  :■>&;  ■  .  '<'■/.  f  •  •  ■-  ;  r ,  • . .  .  •  . 

v  •’  v  A.-r:-'  .  '■  •  : 

r  ..  •, . .  . .  •:*  ■  ■■  -  , 


<^>INSIDETHEDDMA1N~ 

www.bluecatnetworks.com/subscribe 


Meridius  Security  Gateway 


Management 


■  CAREER  DEVELOPMENT 

■  PROJECT  MANAGEMENT 

■  BUSINESS  JUSTIFICATION 


Adapting  to  automation 

Technology  threatens  to  eliminate  many  of  today’s  network  administration 
positions,  although  industry  watchers  predict  more  strategic  IT  jobs  to  evolve. 


A  five-part  series  on  how  to 
turn  challenges  into 
opportunities. 


■  BY  DENISE  DUBIE 


Editor's  note:  This  is  the  final  installment  of  a  five-part  series  on  the  threats  facing  IT 
executives  and  how  to  mitigate  them. 

An  old  IT  industry  joke  suggests  automation  will  be  so  prevalent  in 
future  data  centers  that  the  only  staff  on  hand  will  be  a  man  and  a 
dog:  The  man’s  job  is  to  feed  the  dog,  and  the  dog’s  job  is  to  ensure 
the  man  doesn’t  touch  the  computer. 

While  the  scenario  of  such  an  automated  IT  environment 
gets  laughs  among  network  executives,  the  premise  isn’t  so 
far-fetched  anymore.  Today  automation  technology  has 
evolved  beyond  simple  system  monitoring  to  dynamic  pro¬ 
visioning  and  reallocating  of  data  center  resources.  New 
technologies  such  as  virtualization  are  designed  to  further 
remove  the  need  for  human  intervention  from  day-to-day 
data  center  operations  —  making  the  prospect  of  being  dis¬ 
placed  by  technology  no  laughing  matter  to  some. 

According  to  Gartner,  90%  of  the  work  of  IT  departments 
surveyed  last  year  will  be  automated,  outsourced  or 
absorbed  by  other  business  units  by  2015.The  research  firm 
also  predicts  that  twice  as  many  jobs  will  be  lost  between 
2005  and  2015  because  of  IT  automation, as  compared  with 
IT  outsourcing.  Lastly  Gartner  says  it  expects  a  typical  IT  department  of  100  employees 
today  to  shrink  to  between  six  and  15  employees  by  2015. 

Time  will  tell  if  the  numbers  will  hold  true,  but  in  the  meantime,  industry  watchers  and 
IT  executives  say  when  faced  with  such  a  bleak  outlook  for  the  future,  one  has  to  read 
between  the  lines.  If  automation  is  forecast  to  eliminate  most  of  today’s  IT  jobs,  then  the 
assumption  should  be  that  tomorrow’s  IT  jobs  would  encompass  a  new  set  of  skills  yet  to 
be  tackled  by  technology  or  technicians.  For  instance,  network  operations  positions  would 
adapt  into  managers  of  strategic  technology,  and  application  maintenance  roles  could 
evolve  into  business  services  managers. 

“I  have  been  in  IT  for  more  than  30  years  and  I  have  heard  about  the  threat  of  automation 
since  Day  One,”  says  Shivaji  Huttler,  database  and  data  warehouse  manager  for  the  city  of 
Boise,  Idaho.“It’s  really  only  a  threat  to  individuals  who  aren’t  willing  to  adapt  and  evolve.” 

Huttler  says  without  automation  he’d  be  shackled  to  a  database  anxiously  pouring  over 
logs  to  determine  if  anything  had  gone  awry.  With  BMC  Software’s  Patrol  automated  mon¬ 
itoring  tools  in  place  to  alert  him  of  performance  exceptions,  he  is  free  to  diagnose 


higher-level  problems  and  use  his  knowledge  for  business-oriented  planning. 

“Automation  increases  my  productivity  and  empowers  me  with  more  knowledge 
because  I  am  not  focused  on  repetitive,  manual  tasks,”  Huttler  says.  “Databases  are  pretty 
straightforward;  the  exciting  part  is  using  the  data  toward  business  intelligence  goals.” 

Huttler  admits  his  IT  operations  remain  far  from  the  dynamic  data  centers  envisioned  by 
vendors  such  as  HP  IBM  and  others,  but  his  attitude  could  guarantee  him  a  job  when 
automation  technology  takes  over  more  manual  tasks. 

“If  you  look  at  the  big  picture,  automation  will  predominantly  lead  to  advancement  for 
motivated  IT  professionals,”  says  Terry  Phillips,  branch  manager  at  IT  staffing  firm  Robert 
Half  Technology  in  Columbus,  Ohio. 

Network  administrator  roles  might  be  the  first  positions  replaced  by  automation,  but  the 
people  filling  the  positions  could  develop  their  skills  in  niche  technologies  such  as  secu¬ 
rity  wireless  or  network  architecture  to  move  from  an  operations  job  to  a  more  strategic 
position  for  the  time  being.  Positions  in  project  management,  compliance  management 
and  business  process  management  could  crop  up  as  network  administrator  jobs  fall  off. 

“There  are  soft  skills  that  humans  possess  and  technology  cannot  automate,  especially  if 
it’s  specific  to  one  company  or  type  of  business,”  Phillips  says.“In  some  cases,  automation 
may  replace  a  human  position  for  the  short  term, but  if  the  IT  department  is  thinking  strate¬ 
gically  those  positions  manifest  themselves  into  something  else  over  the  long  term.” 

Keeping  valued  employees  familiar  with  the  workings  of  the  business  or  industry  might 
also  pay  off  for  employers  looking  to  automate  parts  of  the  IT  department. 

“You  need  humans  to  create  competitive  processes  —  you  can  find  software  that  would 

increase  the  effectiveness  of  the  process  —  but  you 
need  humans  drafting,  maintaining  and  updating  the 
business  processes,” says  Rich  Ptak,a  principal  analyst 
at  Ptak,  Noel  &  Associates. 

Ptak  says  companies  looking  to  implement  a 
dynamic  data  center  that  can  respond  automatically 
to  changing  business  requirements  will  want  to 
incorporate  automation  technology  alongside  strate¬ 
gic  staff  members  in  their  deployment. “Automation 
will  at  first  free  up  IT  folks  from  repetitive  and  pre¬ 
dictable  tasks  like  monitoring  and  enable  them  to 
focus  on  business-oriented  tasks  such  as  rolling  out 
new  revenue-generating  services,”  he  says. 

W  Kevin  Colwell,  development  manager  at  Capital 
District  Physicians’  Health  Plan  in  Albany,  N.Y, 
says  automation  lets  his  staff  work  more  flexibly 
and  tackle  broader  tasks  than  in  the  past.  With  soft¬ 
ware  monitoring  server  health  and  status,  a  systems  administrator  can  spread  his 
wings  to  explore  more  advanced  IT  duties  such  as  provisioning  new  servers  to  support 
business  applications. 

Colwell  uses  Remedy  software  to  automatically  track  changes  and  determine  when 
human  involvement  is  required,  doing  the  job  formerly  done  by  two  or  three  technicians. 
While  automation  could  eliminate  entry-level  positions,  Colwell  says  he  doesn’t  believe 
the  technology  overall  can  be  seen  as  a  threat  to  the  IT  organization.  He  says  automation 
technology  —  and  the  IT  department  as  keepers  of  such  —  will  represent  a  more  critical 
role  to  the  business  going  forward. 

IT  management  often  saw  automation  as  a  means  to  increase  productivity,  but  Colweli 
says  current  and  future  IT  managers  will  realize  the  technology’s  benefits  in  terms  of 
process  and  business  best  practices.  For  his  organization,  healthcare  regulations  such  as 
HIPAA  forced  the  adoption  of  consistent  best  practices  and  processes. 

“You  need  people  to  determine  the  way  to  approach  processes  in  their  organization- 
then  automation  helps  prevent  staff  from  straying  from  those  processes,”  he  says.H 


CHALLENGE 

Automation  technology  poses  a  threat  to  many  of 
today's  IT  application,  infrastructure  and  operations 
positions,  which  could  lead  to  the  end  of  IT  departments 
if  remaining  positions  become  absorbed  or  outsourced. 

RESPONSE 

By  mastering  automation  technologies,  learning  best 
practices  and  incorporating  business  savvy  into  their 
skills,  IT  executives  can  adapt  and  expand  beyond  cur¬ 
rent  operations  and  maintenance  roles  to  become  lead¬ 
ing-edge  technical  strategists  for  their  companies. 
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How  much  can  your  network  analyzer  see? 


Observer  is  the  only  fully  distributed  network  analyzer  built  to 
monitor  the  entire  network  (LAN,  802.Ha/b/g,  Gigabit,  WAN). 
Download  your  free  Observer  10  evaluation  today  and  experience 
more  comprehensive  real-time  statistics,  more  expert  events,  and 
more  in-depth  analysis  letting  you  dive  deeper  into  your  network 
than  ever  before.  Choose  Observer. 


-  DRR&ER-  Guard  against  the  latest  network  threats  by  identifying 
and  isolating  infected  systems  automatically. 

-BRTR  Mini  nG-  Analyze  gigabit  traffic  and  massive  amounts 
of  data  with  Observer's  expanded  options  for  data  mining. 

-JUnK  TRRFFlC-  Identify  broadcast  storms,  monitor  excessive 
traffic,  and  optimize  bandwidth  with  Observer's  many  utilization 
metrics  and  over  30  real-time  statistics. 


US  &  Canada 


toll  free  800.526.5958 
fax  952.932.9545 


UK  &  Europe  +44(0)1959569880 

www.networkinstruments.com/analyze 


UltraMatrix  Remote 

REMOTE  MULTIPLE  USER 
KVM  MATRIX  SWITCH 
ACCESS  OVER  IP  OR  LOCALLY 


UltraConsole 

PROFESSIONAL  SINGLE-USER 
KVM  SWITCH  SUPPORTS  UP 
TO  1000  COMPUTERS 


Connects  1,000  computers  to  multiple  user  stations 
over  IP  or  locally 

High  quality  video  up  to  1280  x  1024 
Scaling,  scrolling,  and  auto-size  features 
Secure  encrypted  operation  with  login  and  computer 
access  control 

Advanced  visual  interface  (AVI) 

No  need  to  power  down  servers  to  install 
Free  lifetime  upgrade  of  firmware 
Available  in  several  models 
Easy  to  expand 


Connects  up  to  1000  computers  to  a  KVM  station 
Models  for  4,  8,16  computers 
Advanced  visual  interface  (AVI) 

Compatible  with  Windows,  Linux,  Solaris,  and  other  O/S 

Connects  to  PS/2,  Sun,  USB,  or  serial  devices 

Converts  RS232  serial  to  VGA  and  PS/2  keyboard 

Free  lifetime  upgrade  of  firmware 

Security  features  prevent  unauthorized  access 

Full  emulation  of  keyboard  and  mouse  functions  for  automatic, 

simultaneous  booting 

Easy  to  expand 

ranee 


ifcAWFR  WITH  KVM  SWITCH  OPTION 


ELECTRONICS 


SERVERS  WITHIN  YOUR  REA  H 
FROM  ANYWHERE 


A  KVM  switch  allows  single  or  multiple 
workstations  to  have  local  or  remote  access  to 
multiple  computers  located  in  server  rooms  or 
on  the  desktop  regardless  of  their  platforms 
and  operating  systems.  KVM  switches  have 
traditionally  provided  cost  savings  in  reducing 
energy  and  equipment  costs  while  freeing  up 
valuable. real  estate. 


Recognized  as  the  pioneer  of  KVM  switch 
technology.  Rose  Electronics  offers  the 
industry's  most  comprehensive  range  of 
server  management  products  such  as  KVM 
switches,  extenders  and  remote  access 
solutions.  Rose  Electronics  products  are 
known  fi>r  their  quality,  scalability,  ease  of  use 
and  innovative  technology. 

Rose' Electronics  is  privately  held  with  world- 
headquarters  in  .Houston,  Texas  and  sells  its 
products  worldwide  through  a  large  network  of 
Resellers  and  distributors.  Rose  has 
operations  in-the  United  Kingdom,  Spain, 
Germany,  Benelux,  Singapore  and  Australia. 


KVM  over  IP 


Cyclades  AlterPath™  KVM/net 
offers  a  unique  set  of  features: 

■  Server-based  authentication 

(NT  domain,  LDAP,  Secure  ID,  RADIUS,  TACACS+) 

■  16  and  32  port  models 
■CAT5  cabling  up  to  500  feet 

■  User  access  logging 

■  System  event  syslog 

■  Integrated  power  management 


Over  85%  of  Fortune  1 00 
choose  Cyclades. 

www.cyclades.com/nw 

1 .888.cyclades  >  sales@cyclades.com 


We've  worked  our  magic 
Now  you  can  work  yours. 


*>2004  Cyclades  Corporation.  Ail  rights  reserved.  AH  other  trodemorb  and  product  images  are  property  of  their  respective  owners.  Product  informoticn  subject  to  change  without 


Web- based  access 


www.nwfusion.com 


Terminal  server  vendors,  who  proclaim  that 
they  have  Secore  Out  Ot  Band  products,  rely 
on  RADIUS,  TACACS+  and  other  in-band 
protocols  to  provide  security.  By  inference, 
they  imply  they  secure  out  ot  band  access 
when,  in  tact,  they  otter  only  network  security, 
which  contlicts  with  out  ot  band  access. 


A  true  Secure  Out  of  Band  Management 
solution  should  provide  strong  security  without 
reliance  upon  network-based  protocols. 


CDI  offers: 

Hardware  encryption  over  dial-up 
and  network  connections 
RSA  certified  SecurlD  authentication 
without  a  network. 

Patented  central  management  of  all 
remote  devices 


Full  NIST,  FIPS  140-2  certifications 
Remote  Power  control 


Homologous  world-wide  approved  •~r 
internal  modems 


CDI  has  been  building  encryption  equipment  for  over  fifteen  years.  Our  customers  and  partners  include 
major  financial  institutions,  government  agencies,  major  telcos,  utilities,  and  the  United  States  military 


Communication  Devices  Inc. 
www.outofbandmanagement.com 


SFNSAPI IONF 

irvis-anoa 


Sends 

SNMP 

Messages 


Monitors 

64 

IP  addresses 


Embedded 

Web 

Server 


Sends  Power  Internal 

E-Mail  Outage  UPS 

Alarming 


Power 

Control 

Interface 


Ethernet 

Port 


Internal  Voice, 
Modem 
&  Pager  Port 


8  R|-45  Sensor  Inputs 

(Temperature,  Humidity, 
Water,  Motion,  Power, 
Smoke/Fire) 


Microphone 

for  Sound 
Monitoring 


BE  NOTIFIED  BEFORE  CRITICAL  EVENTS  TURN  INTO  DISASTER! 


•  Eight  environment  inputs 

•  Power  sensing 

•  Monitors  64  IP  addresses 

•  Send  alerts  to  64  people 

•  8  methods  of  contact 

•  Calendar  scheduling 

•  Expands  to  256  sensors 

•  Remote  power  control 

•  Optional  camera 


The  Sensaphone  IMS-4000  Infrastructure 
Monitoring  System  monitors  critical  environ¬ 
mental  and  network  elements  in  your  server 
room,  data  center,  or  telecomm  installation  and 
reports  to  you  instantly  when  events  threaten 
your  infrastructure.  The  IMS-4000  keeps  watch 
so  you  don't  have  to.  See  these  features  and 
more  on  the  web  at  www.ims-4000.com 


Phonetics,  c. 

Tel:  877-373-2700 

901  yens  Road 

www.ims-4000.com 

As  >n,  PA  19014 

Software  based,  non-dedicated  data  collection 
Compatible  with  Network  Instruments’  optimized  ErrorTrak™ 
NDIS  drivers;  which  display  true  errors-by-station. 


OU  WANT  COMPLETE  VISIBILITY. 


WE  MAKE  IT  HAPF  EN. 

Remote  Monitoring  Solutions 

RMON  and  HCRMON  Probes 

You  want  remote  monitoring  solutions  for  visibility  into  every  part  of  your  network.  With 
RMON  arid  HCRMON  Probes  from  Network  Instruments,  it’s  easy.  Convert  any  PC  into  a 
complete  remote  network  monitoring  data  collection  device.  Use  the  RMON  appliance 
(available  in  1U  and  4U  systems)  for  a  full  turn-key  solution.  Call  800-526-7919  for  more 
information  or  visit  our  website  at  www.networkinstruments.com/RMON. 


RM0N2  and  HCRMON 


full-duplex  Gigabit 


Complete,  industry 
Windows  2000/XP 
1  Software  based,  non  ’  "  ' 


based  probes  for 


www.networkinstruments.com/RMON 


One  Network  'J/  Complete  Control 


Wired  to  Wireless  •  LAN  to  WAN 


NETWORK* 

INSTRUMENTS 


US  &  Canada:  (952)  932-9899 

Toll  free:  (800)  526-7919 

UK  &  Europe:  +44  (0)  1959  569880 
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Production  Tracking  Over  Ethernet 


qqqBSQQ 


Eliminate  your  shop-floor 
PCs  with ... 

Ethernet  Terminals  from 
ComputerWise  connected  to 
your  in-house  LAN. 

Capture  production  data 
directly  into  files  on  your 
server. 


Features  &  Benefits 

•  Interactive  Telnet  Client 

•  TCP/IP  over  10/IOOBaseT  Ethernet 

•  Built-in  Barcode  Badge  Reader 

•  Optional  Mag-Stripe  &  RFID  Bad*  e  Reader 

•  Auxiliary  RS-232  Serial  port 

•  Customizable  Data  Collection 
Program  Included 

•  Larger  keyboard  and 
display  sizes  available 


COMITTERWBL 

Gall  1-800-255-3739  or  visit  www.eamputerwise.coni 


Cabinet  Passes  NEBS  Level  4 


This  range  of  19"and  24"wide  cabinets  use 
welded  aluminum  construction  to  provide 
lower  weight  NEBS  compliance  for  seismic 
regions.  Heavy-duty-aluminum  extrusions 
are  combined  with  seven-guage  steel  base  to 
provide  a  rugged  floor-mounting  design  able 
to  resist  shock,  bending  and  vibration  stresses. 
The  cabinets  are  designed  for  deployment  in 
earthquake-prone  areas  to  Zone  4,  and  comply 
with  BelcoreTR-63/ANSI-329,  suiting  appli¬ 
cations  in  defence,  rack-mount  computers, 
manufacturing,  and  telecom. 


If  we  can  do  this  then  your  server  application 
is  safe  with  us! 


NEBS  Compliant  Seismic  Cabinet 

Optima's  rugged  design  is  the  earthquake  and  vibration  resilient 
foundation  you  need  to  securely  protect  and  support  your  equip¬ 
ment  Our  knowledge  and  design  experience  has  enabled  us 
to  manufacture  over  5000  seismic  hardened  cabinets  which  are 
installed  in  Zone  4,  NEBS  Compliant  infrastructures  worldwide! 

Our  vast  product  range  and  our  ability  to  customize  cabinets, 
consoles,  and  instrument  cases  make  optima  the  ideal  choice  for 
all  your  enclosure  needs. 

Visit  us  at  www.optimaeps.com  to  find  out  more 
or  call  us  today  on  770-496-4000 


Custom  ! 
Commercial  I 
Telecom  l 
Seismic,  f 
EMC  | 
Desk  Systems  I 
Instrument  Cases  \ 
Accessories  l 


Optima  EPS 

®  Cabineis  &  Enclosures 

An  ELMA  Compa 


The  combination  of  Nema  1 2  protection  and  RFI  shield¬ 
ing  in  a  low  weight  cabinet  makes  the  Form  4  cabinet 
suitable  for  a  wide  range  of  applications,  such  as 
computer  simulation,  test  and  measurement,  industrial 
control,  and  computer  storage  installation.  For  maxi¬ 
mum  flexibility,  the  reinforced  doors  are  field-reversible 
and  open  1 22  degrees  for  access,  with  concealed  hinges 
and  multipoint  locking  for  security  and  clean  lines. 


We  deliver  customized  19-inch 
cabinets  in  just  2  weeks 


Every  electronic  system  is  different,  so 
its  not  surprising  that  standard  1 9-inch 
cabinets  don't  always  offer  the  ideal 
system  packaging.  That's  why  Optima 
has  introduced  the  Custom  Cabinet  14 
service:  customized  cabinets  delivered 
to  your  door  in  just  1 4  days. 


You  decide  where  you  want  the  holes 
and  handles.  How  many  shelves  you  need.  Where  the  doors  should  be.  And  what 
accessories  you  want.  Then  we  put  it  together  -  fast. 


So,  with  the  Optima  EPS  Custom  Cabinet  14  service,  you  don't  have  to  keep  space 
hungry,  expensive  inventory,  because  your  ideal  cabinet  is  just  2  weeks  away. 


Aluminum  Cabinets  provide  protection  against  dust,  moisture,  and  EMI 


The  new  Form  4  range  of  rugged  aluminum  cabinets 
from  Optima  EPS  has  been  designed  to  provide  reliable 
protection  to  UL-508Type  12  specifications,  as  well  as 
offering  options  for  up  to  1 0OdB  of  EMI  attenuation. 
The  cabinets  are  easily  customized  to  suit  the  required 
height,  depth,  and  width,  including  19" and  24"  widths 


Wall-mount 
swing  frame 
suits  both 
electrical 
wiring  and 
19"  electronic 
equipment 

applications. 


Optima  EPS 
announces 


the  launch  of 
a  versatile  range  of  wall-mount  swing  frame 
cabinets,  designed  to  suit  both  electrical  wir¬ 
ing  and  electronics  applications.  Locks  to  the 
rugged  front  and  rear  doors  permit  the  whole 
frame  to  clear  the  wall  to  simplify  installation 
and  maintenance  for  electrical  contractors  and 
manufacturing,  instrumentation,  and  automa¬ 
tion  applications.  The  Frame  is  designed  to 
accept  standard  19"  racks  and  fittings,  as  well 
as  electrical  components,  and  is  available  in  a 
range  of  colors  and  six  standard  sizes  from  23" 
x  1 4"  to  48"  x  20". 
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How  Do  You 
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Securely  Reboot 

via  IP? 


Server  Technology 


Solutions  for  the  Data  Center  Equipment  Cabinet 


When  servers  and  network  devices 
in  the  da  i  center  lock-up,  n  rk 
managers  need  fast,  secure  and 
reliable  tools  to  res  ond.  With 
Sentry™  Remote  Site  Managers, 
an  administrator  can  immediately 
reboot  a  re  note  system  with  just 
a  :w  mouse  clicks.  Sentry  also 
p  as  ccurate  input  current 
power  monitoring,  environmental 
monitoring  and  integrated  sc  :ure 
console  management  l  ing  SSH. 


Sentry  Gives  You  Secure  Web/I P  Based  Remote  Site  Management 


Secu  Shell  (SSHv  )  Encryption  « 
"NEWT"  SSLv3  Secure  Web  Browser « 
"NEWT"  /  i  Directory  with  LDAP  « 
SNMP  M  B  1  Traps  « 
Integrated  Secure  Modem  « 
True  RMS  Power  Monitoring  « 
Outlet  Receptacle  Grouping  for  Dual-Power  Servers  « 
Fail-Safe  Transfer  Switch  for  Single-Power  Supply  Servers  « 
Power-up  Sequencing  Prevents  Power  In-rush  Overload  « 
Temperature  &  Humidity  Environmental  Monitoring  « 
Zero  U  &  Rack-mount  Mo  els  « 
110/208  VAC  Models  with  30-Amp  Power  Distribution  « 
NEBS  Approved  -48  VDC  Models  Available  « 


Server  1  ith  iol<  gy,  Inc 

Server  Technology,  Inc.  toll  free  +1.800.835.1515 

1 040  Sandhill  Drive  tel  +1 .775,284.2000 

Reno,  NV  89521  fax  +1 .775.284.2065 
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security’  says  Ellen  Daley,  princi¬ 
pal  analyst  at  Forrester  Research. 
“Do  1  allow  devices  that  some¬ 
body  just  buys  to  connect  to  my 
network?  Are  they  compliant 
from  an  operating  system  and  ap¬ 
plication  perspective?  Do  I  scan 
and  quarantine  them  if  they  don’t 
comply?” 

Another  consideration  is  wheth¬ 
er  the  devices  enable  seamless 
roaming  between  the  company 
and  carrier  network,  or  between 


different  carrier  networks.  Many 
large  corporations  are  deploying 
IEEE  802.11  Wi-Fi  wireless  LANs 
internally,  while  the  wireless  WAN 
is  migrating  from  2G  and  2.5G 
standards  to  3G  technologies. 

Ensuring  a  consistent  user  ex¬ 
perience  and  level  of  service  is  a 
challenge. 

“An  often  overlooked  point  is 
that  enterprises  are  still  in  a  three- 
,  four-  or  five-carrier  environment,” 
says  Michael  Voellinger,  vice  pres¬ 
ident  of  wireless  services  for 
Telwares,  a  telecom  consultancy 
“You  need  to  look  at  where  the 


market  and  technology  is  going, 
and  who  you  are  working  with. 
You  need  a  consistent  platform 
and  experience.” 

Dual-mode  Wi-Fi/cellular  mo¬ 
bile  devices  exist,  but  they  are 
costly  and  have  a  shorter  battery 
life  because  they  support  two 
radio  antennas  —  one  for  Wi-Fi 
and  the  other  for  the  particular 
cellular  technology  employed  by 
the  carrier.  And  if  that  cellular 
technology  is  2G  or  2.5G,  the 
handset  could  become  obsolete 
if  users  want  to  take  full  advan¬ 
tage  of  the  3G  capabilities  com¬ 


Kazeon’s  storage  appliance 
handles  unstructured  data 


■  BY  DENI  CONNOR 

Kazeon  Systems  says  it  is  set  to  introduce  a  storage 
appliance  that  not  only  analyzes  the  unstructured 
data  on  file  servers  but  also  decides  where  to  store 
that  data,  and  determines  who  can  retrieve  it  and 
when,  based  on  rules  that  IT  creates. 

The  company  founded  in  2003  by  Sudhakar  Mud- 
du  and  three  other  storage  veterans  from  Broadcom, 
AT&T  and  Sprint,  joins  a  slew  of  others  mining  data 
for  its  content,  and  making  decisions  on  how  and 
where  it  will  be  stored.  Muddu  was  the  founder  of 
Sanera,  which  he  sold  to  McData  in  2003  for  $102 
million. 

Identifying,  managing  and  auditing  the  unstruc¬ 
tured  data  on  a  network  for  compliance  and  secur¬ 
ity  purposes  is  a  large  and  growing  market.  Un¬ 
structured  content  —  files,  e-mails,  non-transactional 
data  and  medical  images  —  accounts  for  80%  of  the 
data  on  a  network,  Enterprise  Strategy  Group  says. 

“Companies  have  begun  to  recognize  the  risk  that 
is  created  by  unmanaged  information  in  the  enter¬ 
prise,  be  that  compliance  issues  or  litigation  expo¬ 
sure  or  even  just  making  bad  decisions,”  says  Troy 
Toman,  vice  president  of  marketing  at  Kazeon. 

Companies  such  as  StoredlQ  (formerly  Deep  file), 
Arkivio,  Abrevity  and  Scentric,  which  is  still  in  stealth 
mode,  make  appliance-based  software  that  classify 


data  and  storage  resources  into  logical  groups  based 
on  administrator-defined  criteria  for  efficient  data 
retention.  Often,  these  appliances  will  sit  in  or  next  to 
the  data  path  between  file  servers  on  a  network  and 
devices  such  as  EMC’s  Centera  or  Network  Appli¬ 
ance’s  NearStore  R200  systems,  which  store  unstruc¬ 
tured  data. 

“The  way  to  think  of  [Kazeon’s  appliance]  is  as  an 
intelligent  information  platform  that  sits  in  front  of 
an  archiving  solution  like  EMC’s  Centera,”  says  Brad 
O’Neill,  senior  analyst  forTaneja  Group.“The  policies 
the  IT  manager  creates  could  control  encrypting 
that  data,  moving  it  to  an  archival  device  or  restrict¬ 
ing  access  to  it.” 

Kazeon’s  Linux-based  appliance  discovers  and 
analyzes  Microsoft’s  Common  Internet  File  System 
and  the  Unix/Linux  Network  File  System  data.  It  is 
similar  to  StoredlQ  3.0,  which  is  designed  to  discov¬ 
er  and  manage  data  for  compliance  with  the  Health 
Insurance  Portability  and  Accountability  Act.Taking 
a  different  approach  is  Arkivio’s  Auto-Stor,  which  isn’t 
content-aware.  Auto-Stor  is  more  of  a  data  manage¬ 
ment  application  that  cracks  open  and  analyzes  files 
so  they  can  be  managed  more  easily 

Kazeon’s  yet-to-be  named  appliance  is  in  beta  and 
is  expected  to  ship  by  midyear.The  company  is  fund¬ 
ed  for  $17  million  by  Redpoint  Ventures,  Clearstone 
Venture  Partners  and  Goldman  Sachs.  ■ 


Data  overload 

A  slew  of  companies  are  popping  up  to  address  the  management  of  unstructured  data. 


Cornmny/aroduct 

Function  Benefits 

A&rawity  Network  File 
Management 

Data  management 

1111111  11111  "'-v-vi 

Lets  IT  scan  files  on  a  network  to  improve  storage 

Arkivio  Auto-Stor 

Data  management 

Lets  IT  migrate  and  access  data  for  compliance 
or  archival  purposes. 

Kazeon  Systems,  as  yet 
unnamed 

Content-aware  data 

■ .  ■■ 

management 

Lets  IT  determine  how  information  is  stored  and 

retrieved  and  who  can  access  it. 

Scentric,  as  yet  unnamed 


StorediQ  30 


Data  management 


Content-aware  data 


management 
!  specifically  for  HIPA  A 


Lets  IT  migrate  and  access  data  for  compliance 
or  archival  purposes. 

b -  :  -  r. ■  y<..-w.v.sy 

Lets  IT  determine  how  HIPAA  information  is  stored 
and  retrieved  and  who  can  access  it. 


ing  from  their  carrier. 

Obsolescence  is  par  for  the 
course  for  Nova-Sol,  a  govern¬ 
ment  contractor  in  Hawaii  with  a 
mobile  workforce. 

“The  life  span  of  a  cell  phone  is 
a  year  anywa/  says  Jim  Miller,  di¬ 
rector  of  technical  resources.“But 
we  don’t  have  to  throw  80  away 
and  buy  80  new  ones,  because 
not  everyone  needs  the  latest  and 
greatest.” 

But  Wi-Fi-to-cellular  handoff 
might  introduce  transmission  de¬ 
lays,  which  would  disrupt  a  ser¬ 
vice  such  as  mobile  VoIP  consid¬ 
ered  one  of  the  upcoming  killer 
applications  for  untethered  cor¬ 
porations. 

Intel  is  grappling  with  these  is¬ 
sues.  The  company  is  embarking 
on  a  mobile  VoIP  project  for  a 
5,000-worker  campus  that  encom¬ 
passes  Wi-Fi  within  the  company 
and  Wi-Fi/3GAViMAX  in  the  wide 
area.  “Open  questions”  regarding 
mobile  VoIP  include  QoS,  roam¬ 
ing  and  security,  says  Joaquin 
Sufuentes,  director  of  e-Business 
and  IT  in  the  wireless  networking 
group  at  Intel. 

“How  do  you  secure  something 
that  crosses  networks?”  he  asks. 

Complicating  matters  is  that  Wi¬ 
Fi  security  standards  are  still  in 
flux.  Wi-Fi  Protected  Access, 
which  uses  Temporal  Key  Integra¬ 
tion  Protocol  encryption,  is  evolv¬ 
ing  into  802.1  li,  which  uses  Ad¬ 
vanced  Encryption  Standard.And 
on  the  horizon  is  802.1  lr,  which  is 
intended  to  enable  fast,  secure 
handoff  between  Wi-Fi  access 
points  to  overcome  the  delay  and 
QoS  degradation  inherent  in 
authentication. 

Intel  also  is  investigating  user/ 
device-to-access  point  coverage 
characteristics  and  requirements 
for  mobile  VoIP  an  issue  that  hits 
home  with  other  mobile  users. 


Airing  concerns 

Mobile  issues  facing 
corporations  include: 


Multi-radio  handsets  con¬ 
sume  battery  life,  which 
increases  cost. 


•  Handsets  have  to  be 
managed  as  any  other  asset. 

•  Establishing  and  enforcing 
policies  on  business  and 
personal  use. 


Ensuring  secure,  service- 
guaranteed  mobility  between 
Wi-Fi  and  cellular  networks. 


•  Securing  the  mobile  network 
without  degrading  QoS. 

•  Coverage,  especially  for 
mobile  VoIP. 


RKA  Petroleum  Companies  in 
Romulus,  Mich.,  uses  BlackBerry 
email  devices  and  GPS  on  a  Nex- 
tel  service  to  communicate  with 
its  fleet  of  truck  drivers. 

The  system  is  fine  for  wireless 
e-mail  but  slow  for  opening 
server  or  database  files,  says 
Jason  Hittleman,  vice  president 
of  IS  at  RKA.  The  company  is 
evaluating  higher-speed  —  11M 
and  54M  bit/sec  — Wi-Fi  service 
but  hasn’t  deployed  it  because 
of  coverage  gaps,  he  says. 

“When  you  look  out  there,  there 
are  still  a  lot  of  dead  spots,  still  a 
lot  of  open  space,”  Hittleman  says. 
Lack  of  ubiquitous  coverage  also 
tables  any  plans  the  company 
might  have  for  mobile  VoIP  ■ 


Wireless 
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Downtown  upgrade 


The  new  San  Jose  City  Hall  is  getting  a  converged  network  based  on  Nortel  IP  PBXs  and 
the  vendor’s  latest  10G  backbone  switch. 
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■  10G  Ethernet 

-  10/100/1000M 
bit/sec  Ethernet 
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PC  with  Nortel 
softphone 


O  Nortel  Succession  Communication  ©  The  network  will  be  built  on  Nortel's  ©  More  than  1,700  users  with  converged  desktop 
Server  1000s — IP  PBXs — will  operate  forthcoming  Ethernet  Routing  Switch  8600  applications  will  connect  to  the  LAN  via 

Version  4.0,  with  10G  Ethernet  trunks  and  10/100/1000M  switched  Ethernet. 

Split  MLT  technology,  letting  the  core  act  as 


the  voice  network,  and  interoperate 
with  multimedia  conferencing  and 


presence  applications  on  an  MCS  5100  a  single  virtual  switch. 
v  messaging  server. 


Nortel 

continued  from  page  1 

encompasses  the  BayStack  switch 
line.  The  Ethernet  Routing  Switch 
8600  Version  4.0  will  be  based  on 
the  Passport  chassis  with  a  new 
management  module  that  can 
boost  total  switch  capacity  to 
720G  bit/sec,  up  from  520G  bit/sec 
on  the  Passport  3.X  versions. 

New  service  blades  for  the  4.0 
switch  will  include  a  three-port 
10G  Ethernet  module;  an  upgrade 
from  the  single-port  10G  blade 
was  available  with  the  3.X  series 
Passports.  Also  on  tap  is  a  30-port 
Gigabit  Ethernet  module  with  in¬ 
terchangeable  fiber/copper  small 
form  factor  pluggable  ports.  A 
copper-based,  48-port  10/100/ 
1000M  bit/sec  blade  also  is  sched¬ 
uled  to  be  released.  All  these  pro¬ 
ducts  are  set  to  be  launched  next 
month.  Pricing  has  not  been  set. 

The  switch  gear  was  three  years 
in  the  making,  Nortel  says,  as  the 
company  revamped  the  architec¬ 
ture  for  its  line  cards  and  switch 
fabric  modules,  changing  the  way 
these  components  handle  packet 
forwarding  and  processing. 

“We  really  built  this  switch  to 
run  multimedia  applications,” 
says  Atul  Bhatnagar,  Nortel  vice 
president  and  general  manager 
of  Ethernet  Switching  Business. 
On  the  service  modules,  he  says, 
re-programmable  network  pro¬ 
cessors  now  are  used  instead  of 
ASICs  for  Layer  2-4  switching  and 
traffic  handling.  Whereas  ASIC 
logic  is  burned  into  hardware,  the 
network  processor  approach  lets 
the  switch  be  tweaked  for  speed¬ 
ing  up  applications  such  as  voice 


and  video,  or  for  adding  security 
features.  For  example,  network 
processors  could  be  changed  to 
optimize  how  specific  protocols 
perform  in  hardware,  such  as 
Session  Initiation  Protocol.  Also, 
as  new  viruses  and  worms  evolve, 
the  latest  rules  to  prevent  this 
code  from  running  through  a 
LAN  could  be  added  to  the 
switch  gear,  Bhatnagar  adds. 

The  switch  technology  also  will 
include  Ethernet  Routing  Switch 
4.0  operating  system  software, 
and  an  upgraded  720G  bit/sec 
switch  fabric  —  the  8692  switch 
fabric  module,  released  last  year. 
An  upgraded  power  supply  also 
is  needed  for  the  switch  to  reach 
its  new  bandwidth  capacity  Dual 
8692s  can  be  deployed  in  a 
Ethernet  Routing  Switch  8600  to 
scale  to  1.44T  bit/sec. 

Two  8600  chassis  can  be  linked 
with  Nortel’s  Split  Multi-Link  Trun¬ 
king  technology  so  core  switches 
share  traffic  streams  from  a  LAN 
aggregation  layer.  This  creates  a 
multi-terabit  core  and  provides 
sub-second  failover,  Nortel  says. 

“Nortel  provided  the  best  over¬ 
all  value,  in  terms  of  meeting  our 
functionality  requirements,  as 
well  as  cost,”  says  Ed  Shikata,  San 
Jose’s  deputy  city  manager. 

The  re-bidding  process  was  re¬ 
started  last  fall  after  an  audit  of 
the  Cisco  network  bid  found  that 
city  IT  staff  had  worked  closely 
with  Cisco  for  technology  selec¬ 
tion,  which  is  against  city  regula¬ 
tions.  Cisco  engineers  and  ac¬ 
count  managers  worked  with  the 
city’s  IT  staff  to  design  network 
requirements  that  would  let  only 
Cisco-based  LAN, VoIP  and  secur¬ 


ity  gear  be  used,  the  report  said. 

With  the  Nortel-based  contract, 
the  vendor  is  challenged  with  a 
short  turnaround;  it  must  have  the 
network  up  and  running  by  June 
9,  when  the  new  city  hall  is  due  to 
open.  If  the  deadline  is  not  met, 
Nortel  will  owe  the  city  $20,000 
per  day  A  $1.6  million  chunk  of 
the  deal  will  go  toward  one  year 
of  managed  services  from  Nortel. 

The  deal  includes  Nortel  back¬ 


bone,  aggregation  and  wiring  clos¬ 
et  switches  in  the  LAN.  Nortel 
Alteon  firewall  and  Contivity  VPN/ 
router  equipment  will  be  de¬ 
ployed  to  connect  the  city  hall 
network  to  external  WAN  links,  re- 
mote-access  users  and  the  Inter¬ 
net.  The  VoIP  gear  includes  re¬ 
dundant  Nortel  Communication 
Server  1000  IP  PBXs,  running  IP 
phones  and  soft-phone  applica¬ 
tions.  A  Nortel  Multimedia  Com¬ 
munication  Server  5100  will  be 
deployed,  letting  users  access  uni¬ 
fied  messaging,  voice  and  video- 
conferencing  applications  and 
presence  management  software. 

The  Nortel  switches  going  into 
the  new  San  Jose  City  Hall  would 
be  a  welcome  addition  at  another 
government  agency 

“We  could  use  that  kind  of 
bandwidth,”  says  Sheng  Guo,  CTO 
for  the  New  York  State  Unified 
Court  System,  which  runs  more 
than  80  older-generation  Passport 
8600  switches  in  60  courthouses. 
Guo  says  the  court  system  is 
rolling  out  a  live  recording  system 
for  its  network  of  more  than  100 
IP  video  cameras.“Bringing  these 
cameras  online  is  going  to  take  a 
large  chunk  of  my  bandwidth,”  he 
says.  Each  camera  streams  4M 
bit/sec  of  video  —  times  100  cam¬ 
eras,  so  this  would  eat  up  half  the 
1G  bit/sec  links  that  connect  the 
court’s  facilities  over  dark  fiber. 

“Ten  Gigabit  would  be  an  obvi¬ 
ous  remedy  for  that,”  he  says. 


Nortel  was  on  the  forefront  of 
pre-standards  10G  Ethernet,  intro¬ 
ducing  single-  and  dual-port  10G 
blades  for  the  Passport  8600  in 
2002.  But  these  products  ran  on 
older  architecture,  which  al¬ 
lowed  only  up  to  8G  bit/sec  of 
throughput  per  port.  Since  2003, 
Nortel’s  high-performance  switch 
rivals  all  have  released  products 
with  higher  capacity  and  10G 
blades  in  the  four-  to  six-port 
range,  with  support  for  full  10G 
bit/sec  on  ports. 

“Nortel  often  comes  on  in 
waves,”  says  Steven  Schuchart,  an 
analyst  at  Current  Analysis.  “They 
had  some  of  first  the  10G  switch¬ 
ing  technology,  but  follow-up  has 
been  a  problem  for  them.” 

In  terms  of  pure  bandwidth  and 
scale,  Nortel’s  new  gear  is  not  as 
high-powered  as  that  of  Cisco, 
Enterasys  Networks,  Extreme. 
ForcelO  or  Foundry  But  the  San 
Jose  deal  gives  Nortel  one  of  the 
most  high-profile  enterprise  cus¬ 
tomer  deployment  efforts  with 
10G,  as  many  rival  customer  an 
nouncements  have  focused  on 
research  institutions  with  high- 
performance  computing  and 
clustering  deployments. 

“Nortel  is  still  the  only  other  Tier 
1  player  in  the  enterprise  market,” 
besides  Cisco, Schuchart  says.“if  a 
large  company  has  a  problem 
with  Cisco  . . .  Nortel  is  who  they 
turn  to  because  of  its  size  and  age 
and  stability’  ■ 


Zultys  launches  new  IP  phones 


■  BY  PHIL  HOCHMUTH 

Zultys  Technologies  this  week  will  launch  five  Ses¬ 
sion  Initiation  Protocol-based  IP  phones  with  an  ar¬ 
ray  of  feature  combinations  for  various  deployments. 

The  phones,  all  under  Zultys’  ZIP  2  brand,  include 
two  devices  aimed  at  desktops,  with  graphical  LCD 
screens,  data  encryption  and  speakerphones.  The 
other  three  are  basic-feature  IP  phones. 

The  phones  operate  with  Zultys’  MX250  or  MX  1200 
line  of  SIP-based  IP  PBXs.The  phones  also  can  work 
with  other  IP  telephony  gear  that  supports  SIP 

The  ZIP  2x1  and  ZIP  2x2  are  targeted  at  business 
desktops  and  are  capable  of  displaying  GUI-based 
interfaces.  The  phones  also  include  screen  menus 
and  encryption  of  voice  and  SIP  signaling  traffic.The 
2x2  model  can  be  powered  via  802. 3af  Power  over 
Ethernet  (PoE)  and  includes  a  two-port  Ethernet 
switch  for  connecting  a  PC  and  phone  to  the  LAN 
via  a  Category  5, 5e  or  6  network  drop. 

The  ZIP  2+,2P  and  2x2L  phones  have  text-only  LCD 
displays  and  do  not  support  encryption.  Users  look¬ 


ing  for  a  basic-feature  phone  with  FbE  support  can 
choose  the  ZIP  2P  Like  the  ZIP  2x2,  the  2x2L  includes 
a  dual-port  switch  for  linking  a  PC  and  phone  but 
does  not  include  PoE  support. 

The  ZIP  2  phones  join  Zultys’ 4x4  line  of  IP  phones, 
which  include  four-port  Ethernet  switches  and  sup¬ 
port  up  to  four  lines  for  conference  calling. 

The  new  ZIP  2  phones  probably  will  be  the  IP  end¬ 
point  of  choice  going  forward  at  one  Zultys  site  — 
Canby  Builder  Supply  in  Portland,  Ore. 

The  80-employee  building  supply  company  uses 
the  Zultys  MX250  IP  PBX  and  ZIP  4x4  phones. 

“The  4x4  phones  are  nice,  but  they’re  kind  of 
overkill  for  what  we  need,” says  Alan  Churchill,  direc¬ 
tor  of  MIS  for  Canby.  He  says  the  pricing  of  the  ZIP  2 
series  —  $150  to  $230,  depending  on  the  model  — 
is  also  attractive.  (The  average  price  for  an  IP  phone 
in  2004  was  about  $320,  according  to  IDC.) 

Zultys  competes  with  small-office  IP  PBX  vendors 
such  as  3Com,  Altigen,  EADS  Telecom  and  Sphere, 
and  larger  vendors  with  small-office  VoIP  wares, 
including  Avaya,  Cisco,  Nortel  and  Siemens.  ■ 
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SBC  makes  DSL,  er,  exciting 


s  some  of  you  might  remember 
from  previous  columns,  1  have 
been  involved  in  getting  my 
son’s  school  online  and  computer¬ 
ized.  A  few  weeks  ago  the  school 
called  me  because  their  e-mail  ser¬ 
vices  had  suddenly  stopped  working: 

Although  they  could  receive  e-mail, 
no  one  could  send  anything. 

We’d  had  some  previous  problems  with  the  server 
but  a  simple  restart  fixed  them.  No  luck  this  time 
around.  I  tried  sending  and  receiving  e-mail  from  the 
server  and  it  appeared  that  the  POP3  service  was 
running,  but  the  SMTP  service  wouldn’t  respond. To 
this  day  I  do  not  know  why  it  failed. 

If  it  hadn’t,  this  story  would  be  a  lot  shorter. 

So  I  e-mailed  the  server’s  owner  and  he  restarted  it, 
and  e-mail  then  appeared  to  work.  I  told  the  school 
the  next  day  and  they  called  me  back  minutes  later 
to  say  that  nope, still  didn’t  work  for  them. 

Now  at  this  point  I  was  pushed  for  time  so  1 
e-mailed  the  server’s  owner  again  and  got  him  to 
refer  the  problem  to  his  support  people. Two  days 
later  (which  was  just  over  a  week  into  the  school  not 
having  email)  1  chased  it  down  and  found  out  that 
he’d  never  heard  back  from  support. 

Because  of  this  and  a  couple  of  other  problems 
we’d  had  with  the  server,  all  of  which  seemed  to  be 


caused  by  the  server  being  somewhat  antique  (a 
Cobalt  RAQ),I  decided  to  move  the  school’s  Web 
site  and  e-mail  to  another  server. 

The  school’s  principal  told  me  that  another  parent 
had  offered  his  server  so  I  worked  with  him  and  a 
few  days  later  the  new  accounts  were  set  up.  But  as 
far  as  the  school  was  concerned  the  email  system 
was  still  dead  in  the  water. 

My  story  solved 

Well,  to  make  a  long  IT  story  (is  there  any  other 
kind?)  short,  I  went  back  to  the  school  and  started 
trying  to  figure  out  what  was  going  on.  A  bit  of 
poking  around  revealed  that  no  servers  on  the 
Internet  could  be  contacted  on  Port  25,  the  port 
used  for  SMTP  Obviously,  Port  25  was  being 
blocked  . . .  but  why? 

No,  surely  not . . .  but  there  it  was:  A  Google  search 
revealed  that  SBC,  the  school’s  DSL  provider,  had 
decided,  in  its  wisdom,  to  stem  the  flow  of  spam  by 
blocking  SMTP!  Turns  out  that  SBC  rolled  out  this 
ridiculous  and  ineffective  program  sometime  late 
last  year  but  only  for  accounts  using  dynamic  IP 
addresses.  As  I  have  a  static  address  Fbrt  25  blocking 
hadn’t  affected  me.To  find  out  about  the  blocking 
you  had  to  be  psychic  or  read  the  notice  sent  to  the 
SBC  e-mail  account  the  company  provides  when 
you  install  your  DSL  line. 


But  if  you  use  some  other  e-mail  service  all  you’ll 
find  in  the  SBC  account  are  SBC  marketing  mes¬ 
sages,  so  I  suspect  most  people  ignore  it.  Even  better, 
it  turns  out  that  the  school’s  account  isn’t  accessible 
any  longer  for  reasons  that  I  have  yet  to  determine. 

To  unblock  Port  25  you  have  to  go  to  SBC’s 
“Abuse  of  Service”  Web  page  and  request  to  be 
unblocked  using  a  poorly  designed  form.  A  cou¬ 
ple  of  hours  later,  and  after  roughly  three  weeks 
of  being  disconnected,  the  school  was  sending 
and  receiving  e-mail. 

This  has  to  be  one  of  the  most  ill-conceived  anti¬ 
spam  tactics  I’ve  come  across.  SBC  seems  to  have 
hardly  thought  through  the  issues.  Did  it  send  out  a 
notice  with  its  service  invoice?  Not  that  I  saw.  Did  it 
check  whether  DSL  customers  actually  use  their 
accounts  or  that  the  accounts  even  work? 
Apparently  not. 

But  worst  of  all,  not  only  was  the  blocking  plan 
badly  executed,  it  also  would  hardly  be  a  deterrent 
for  serious  spammers  —  they  would  just  use  a  differ¬ 
ent  port  to  transfer  mail  to  a  remote  mail  server. 

Thanks  SBC  for  making  everyone’s  life  just  a  little 
more  exciting. 

Excited?  Tell  backspin@gibbs.com  and  let’s  talk  it 
over  on  Gearblog  ( www.nwfusion.com ,  DocFinder: 
6344). 
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News,  insights,  opinions  and  oddities 


By  Paul  McNamara 


Metcalfe's  Law . . .  ain’t? 

Math  has  never  been  my  strong  suit, 
so  far  be  it  from  me  to  get  between 

industry  legend  Bob  Metcalfe  and  a  pair  of  university  researchers  as  they  butt 
heads  over  the  validity  of  “Metcalfe’s  Law.” 

Actually,  it's  the  academics  doing  most  of  the  head  knocking;  Metcalfe  is 
more  or  less  bemused  by  the  attention. 

Andrew  Odlyzko  and  BenjaminTilly  of  the  DigitalTechnology  Center  at  the 
University  of  Minnesota  earlier  this  month  dissed  Metcalfe’s  theory  but  good  in 
a  paper  titled  “A  refutation  of  Metcalfe’s  Law  and  a  better  estimate  for  the 
value  of  networks  and  network  interconnections.”  You  can  access  the  paper 
and  read  the  blow-by-blow  at  www.nwfusion.com,  DocFinder:  6342. 

Metcalfe’s  Law  posits  that  the  value  of  a  network  grows  proportionally  with  the 
square  of  its  number  of  users.  Meant  to  be  more  descriptive  than  taken  literally,  it 
first  surfaced  in  a  slide  presentation  Metcalfe  gave  in  the  early  1980s  when  he  was 
running  3Com  and  gained  acclaim  in  the  late  1990s  as  justification  for  “hockey 
stick”  growth  projections  that  propped  up  many  a  revenue-barren  dot-com. 

"The  fundamental  fallacy  underlying  [Metcalfe's  Law]  is  in  the  assumption 
that  all  connections  or  all  [enabled]  groups  are  equally  valuable,”  Odlyzko  and 
Tilly  argue  in  their  paper. 

Even  a  guy  living  in  a  shack  out  in  the  woods  —  without  a  phone,  never  mind 
broadband  —  ought  to  appreciate  this  point,  they  say. 

“The  defect  in  this  assumption  was  pointed  out  a  century  and  a  half  ago  by 
Henry  David Thoreau.  In  Walden,  he  wrote:  ‘We  are  in  great  haste  to  construct 
a  magnetic  telegraph  from  Maine  to  Texas;  but  Maine  and  Texas,  it  may  be,  have 
nothing  important  to  communicate." 

Odlyzko  and  Tilly  do  offer  an  alternative  to  Metcalfe’s  Law,  suggesting  that  “the 
value  of  a  general  communication  network  of  size  n  grows  like  n  log(n)." 


In  terms  even  a  journalism  major  can  understand,  they’re  saying  the  value  of 
combined  networks  do  exceed  the  mere  sum  of  their  parts,  but  by  a  dramati¬ 
cally  more  modest  amount  than  Metcalfe’s  Law  has  led  adherents  to  believe. 

“The  problem  is  that  Metcalfe's  Law  provides  irresistible  incentives  for  all 
networks  relying  on  the  same  technology  to  merge  or  at  least  interconnect. . . . 
Yet  historically  there  have  been  many  cases  of  networks  that  resisted  inter¬ 
connection  for  a  long  time,"  the  Minnesota  researchers  say.They  cite  a  number 
of  examples,  with  the  most  recent  being  stubbornly  proprietary  instant-mes¬ 
saging  networks  that  have  only  recently  shown  any  meaningful  willingness  to 
play  well  with  others. 

As  for  Metcalfe,  he  appears  none  too  concerned  by  the  academics'  assault 
on  his  famous  theory. 

“I  am  delighted  that  Metcalfe’s  Law  keeps  getting  all  this  attention,”  says 
Metcalfe,  a  general  partner  at  Polaris  Venture  Partners  who  earlier  this  month 
received  the  National  Medal  ofTechnology  from  President  Bush. 

"Unlike  Moore’s  Law,  which  has  been  numerically  true  since  1965,  Metcalfe’s 
Law  has  never  been  numerically  true,  unless  you  allow  me  to  adjust  the  con¬ 
stant  of  proportionality  to  fit  each  case,"  he  says. 

"One  trouble  is  that  the  ‘value’  of  networking  is  very  hard  to  measure,"  adds 
Metcalfe,  whose  twinkle  in  discussing  the  matter  is  evident  even  via  e-mail. 

"So  now  that  Metcalfe's  Law  is  debunked,  what  is  the  exact  formula  for  the 
value  of  a  network?” 

My  best  guess  would  have  something  to  do  with  angels  dancing  on  the  head 
of  a  pin,  but  no  one’s  asking  me. 

“I  still  think  it  is  a  terribly  good  idea  to  connect  things,"  Metcalfe  continues. 
"And  merging  disconnected  networks  is  a  great  idea. 

“Huge  monopolies,  on  the  other  hand,  are  a  bad  idea,”  he  adds. 

And  it’s  also  another  idea  that  appears  to  be  out  of  favor  these  days. 

Want  to  lay  down  a  law  of  your  own?  The  address  is  buzz@nww.com. 


High  Availability  & 
Reliability 

•  Resilient  switching  and  routing  foundation 

•  Global  load  balancing  for  multi-site 
scalability  and  survivability 

•  Link  aggregation 

•  Rapid  and  stateful  session  failover 

•  RSTP,  VRRP  for  switch  and  router 
redundancy 

•  Redundant  power  supplies 

Security 

•  DoS  protection  up  to  4  million  SYN/sec 

•  Wire-speed  ACLs 

•  Application  rate  limiting 

•  Secure  device  management 

•  sFlow  traffic  monitoring 


Port  expansion  to: 

•  48  Gigabit  Ethernet 

•  48  10/100  Mbps  Ethernet 

•  4  1 0-Gigabit  Ethernet 


Rich  Features 

•  Intelligent  content  switching  using 
URL,  HTTP,  XML,  cookies,  SSL 
ID  and  others 

•  IP  NAT 

•  RIPv2,  OSPF  routing 


FLEXIBILITY  &  < 

Manageability 

•  In-line,  one-ARM  and  Direct  Server 
Return  modes 

•  Web,  SNMP,  INM  and  Cisco-like  CLI 


Uptime,  scalability,  performance 
and  security  are  the  watchwords 
for  your  networkThe  Serverlron® 
application  switch  is  designed  for 
this  environment.  Its  advanced 
switch-based  architecture 
features  a  scalable  content 
switching  engine  with  hardware- 
based  DoS  protection  delivering 
the  industry’s  most  powerful 
and  secure  application 
switching  solution. 


PIS  Appliances  ImHIROi  MatGh  the 

_ _ 1  ■! _ U.U1J _ « 


PERFORMANCE  UPGRADEABILITY 
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SUPERIOR  PERFORMANCE 

•  Up  to  1 40,000  L4  connections/sec 

•  Application  throughput  from  2  to  1 2  Gbps 

•  Wire-speed  Layer  2/3  forwarding 

•  Scalable  processor  performance 

SCALABILITY  & 
EXPANDABILITY 
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THE  SERVERlRDN 
FAMILY  OF  PRODUCTS 

Also  Includes: 


SERVERlRON  450  AND  850 


SERVERlRDNXL 


ServerIrdnSA  Accelerators 


Foundry  Networks,  Inc.  is  a  leading  provider  of  high-performance  Enterprise  and  Service  Provider  switching,  routing  and  Web  traffic  management  solutions 
including  Layer  2/3  LAN  switches,  Layer  3  Backbone  switches,  Layer  4-7  Web  switches,  wireless  LAN  and  access  points,  access  routers  and  Metro  routers. 


FOR  MORE  INFORMATION  PLEASE  CALL:  US/CANADA  1  888  TURBOLAN, 


INTERNATIONAL  +1  408.586.1700  OR  VISIT  OUR  WEBSITE  AT  WWW.FOUNDRYNET.COM/SIE 
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DB2  WON’T  ABANDON  YOU. 

Perhaps  you’ve  heard:  Oracle  desupported  Oracle 
Database  8i  last  year.  Meaning  potential  headaches, 
higher  cost  or  a  complete  migration  to  current  versions 
of  Oracle.  Fortunately,  IBM  offers  ongoing,  around-the- 
clock  service  and  support  for  DB2. 

But  that’s  not  all.  A  Solitaire  study  has  found  that,  on 
average,  Oracle  Database  requires  25%  more  time  to 
manage  than  DB2.’  That’s  big. 

And  an  ITG  study  showed  overall  costs  for  Oracle  Database 
up  to  four  times  higher  than  DB2?  The  Transaction  Process¬ 
ing  Performance  Council  results  show  that  DB2  and 
eServer™  p5-595  are  more  than  twice  as  scalable  as  Oracle 
Real  Application  Clusters,  making  them  the  overwhelming 
performance  and  scalability  leader  for  TPC-C?  Thafs  big,  too. 


No  wonder  DB2  is  regarded  as  the  leading  database  built 
on  and  optimized  for  Linux?  UNIX*  and  Windows?  Like 
other  IBM  database  engine  products  such  as  Informix* 
and  Cloudscape,"  DB2  is  part  of  an  innovative  family  of 
information  management  middleware  that  integrates,  and 
can  actually  add  insight  to  your  data. 

It’s  also  built  to  take  full  advantage  of  your  existing 
heterogeneous  and  open  environments,  and  is  built  to 
enable  true  grid  computing. 

Why  not  move  up  to  middleware  that  makes  sense?  Now 
you  can  get  IBM  DB2  Universal  Database  or  Informix 
by  taking  advantage  of  our  extremely  compelling  trade- 
up  program.  Visit  ibm.com/db2/swap  today  to  find  out  if 
you  qualify. 
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DEMAND  BUSINESS 


IBM,  the  IBM  logo,  DB2,  eServer,  Informix,  Cloudscape  and  the  On  Demand  logo  are  trademarks  or  registered  trademarks  of  International  Business  Machines  Corporation  in  the  United 
States  and  other  countries.  Linux  is  a  registered  trademark  of  Linus  Torvalds.  Microsoft  and  Windows  are  registered  trademarks  of  Microsoft  Corporation  in  the  United  States  and/or  other 
countries.  UNIX  is  a  registered  trademark  of  The  Open  Group  in  the  United  States  and/or  other  countries.  Olher  company,  product  and  service  names  maybe  trademarks  or  service  marks 
of  others.  ©2005  IBM  Corporation.  All  rights  reserved.  ’“DB2  Performance  on  IBM  Server'  pSeries  and  xSeries,”  Solitaire  Interglobal  Ltd.,  2003:  based  on  Oracle  Database  9i.  ’"IBM 
Solutions  for  PeopleSoft  Deployment  In  Mid-sized  Businesses  Quantifying  the  New  Cost/Benefit  Equation,”  July  2003,  International  Technology  Group,  Los  Altos,  California.  ’All  referenced 
results  are  current  as  of  12/14/04.  DB2  UDB  v8.2  on  IBM  eServer  p5  595  (64-way  POWER5  1.9  GHz)  and  AIX  5.3L:  3,210,540  tpmC  @  $5.19/tpmC  available:  May  15,  2005,  vs.  Oracle 
RAC  lOg  on  HP  Integrity  rx5670  Cluster  64P  (16  x  4-way  Intel  Itanium2  6M  1.5GHz):  1,184,893  tpmC  @  $5.52/tpmC  available:  April  30,  2004;  TPC  Benchmark,  TPC-C,  tpmC  are 
trademarks  of  the  Transaction  Processing  Performance  Council.  For  further  TPC-related  information,  please  see  http://www.tpc.org/ 


